UniFi Threat Landscape Report: January 2025
Monthly analysis of threats targeting UniFi networks including SSH brute force trends, IoT botnet activity, DNS tunneling patterns, and actionable recommendations.
Sentinel Nerd Team
Every month, we analyze anonymized threat data from Sentinel Nerd deployments to identify trends, emerging threats, and actionable recommendations for UniFi administrators. This is our January 2025 report.
Note: All data is aggregated and anonymized. No individual customer data is exposed. Participation in threat intelligence sharing is opt-in.
Executive Summary
January 2025 saw a significant uptick in credential-based attacks across UniFi networks. SSH brute force attempts increased 34% month-over-month, driven primarily by a new botnet variant targeting consumer and small-business routers. IoT-focused attacks also rose, with a 22% increase in attempts to compromise smart home devices on poorly segmented networks.
The good news: organizations using network segmentation and automated response saw 89% fewer successful compromises compared to flat networks with manual monitoring.
Key numbers:
- 12.4 million security events analyzed
- 847,000 alerts generated across all deployments
- 34% increase in SSH brute force attempts
- 22% increase in IoT-targeted attacks
- 3 notable CVEs affecting UniFi environments
Top Threats
1. SSH Brute Force Attacks
SSH brute force remained the #1 threat by volume for the sixth consecutive month. What changed in January:
- New credential lists — Attackers are using updated wordlists that include credentials leaked in recent breaches
- Distributed sources — Attacks now originate from 5-10 IPs simultaneously to evade rate limiting
- Slower pace — Instead of rapid-fire attempts, many attackers space login attempts 30-60 seconds apart to avoid traditional detection
Top source countries: China (28%), Russia (19%), Brazil (12%), Vietnam (8%), India (7%)
Recommendation: Enable SSH key-only authentication, disable password login, and create a Sentinel Nerd detection rule with a lower threshold for distributed attempts:
id: distributed-ssh-brute-force
name: Distributed SSH Brute Force
description: Detects SSH failures from multiple sources to the same target
severity: high
category: credential-attack
enabled: true
conditions:
- field: event.type
operator: equals
value: ssh_login_failed
aggregation:
group_by: destination_ip
distinct_count: source_ip
threshold: 5
window: 15m
actions:
- alert
- tag: distributed-brute-force2. IoT Botnet Activity
We observed a 22% increase in traffic associated with known IoT botnets, particularly:
- Mirai variants — Scanning for default credentials on IoT devices (port 23, 2323)
- Mozi — Targeting DHT protocol on IoT devices
- InfectedSlurs — A newer botnet exploiting NVR and router vulnerabilities
IoT devices on flat networks (no VLAN segmentation) were 6x more likely to show signs of compromise.
Recommendation: Isolate IoT devices on a dedicated VLAN with internet-only access. Block all inbound connections from the internet to IoT VLANs. Monitor for unusual outbound traffic patterns.
3. DNS Tunneling
DNS tunneling attempts increased 18% in January. Attackers use DNS queries to exfiltrate data or establish command-and-control channels, bypassing traditional firewall rules since DNS traffic is typically allowed.
Indicators we track:
- DNS queries with unusually long subdomain labels (50+ characters)
- High volume of DNS queries to a single domain from one host
- TXT record queries with encoded payloads
- NXDOMAIN response spikes from single hosts
Recommendation: Monitor DNS query patterns with Sentinel Nerd. Flag hosts generating more than 100 DNS queries per minute or queries with encoded-looking subdomains.
Geographic Trends
Attack Source Distribution
| Country | % of Attack Traffic | Change from Dec |
|---|---|---|
| China | 24% | +3% |
| United States | 18% | -1% |
| Russia | 14% | +2% |
| Brazil | 9% | +4% |
| Vietnam | 7% | +1% |
| India | 6% | 0% |
| Indonesia | 5% | +2% |
| Other | 17% | -11% |
Notable: Brazil moved up to 4th place with a significant increase in attack traffic, primarily driven by compromised IoT devices being recruited into botnets.
Target Distribution
Most attacks targeted:
- SSH services (port 22) — 38% of all attack traffic
- Web services (ports 80/443) — 24%
- IoT protocols (ports 23, 2323, 8080) — 15%
- RDP (port 3389) — 12%
- SIP/VoIP (port 5060) — 6%
- Other — 5%
Attack Volume Trends
Daily attack events per deployment (median):
- January 2025: 1,847 events/day
- December 2024: 1,502 events/day
- November 2024: 1,389 events/day
The upward trend reflects both increasing attack activity and improved detection coverage in Sentinel Nerd v2.0’s new detection engine.
Alert-to-event ratio: 6.8% of events generated alerts (up from 5.2% in December), indicating better signal extraction from our updated rule set.
Notable CVEs
Three CVEs from January are particularly relevant for UniFi environments:
CVE-2025-0282 — Ivanti Connect Secure
While not a UniFi vulnerability, many organizations run Ivanti VPN alongside UniFi infrastructure. This critical RCE vulnerability was actively exploited in the wild. If you use Ivanti, patch immediately and monitor for indicators of compromise.
CVE-2025-0411 — 7-Zip Mark of the Web Bypass
This vulnerability allows attackers to bypass Windows security warnings on extracted files. Relevant for organizations using UniFi in Windows-heavy environments. Ensure 7-Zip is updated to version 24.09+.
CVE-2024-45200 — UniFi Network Application
A medium-severity CSRF vulnerability in UniFi Network Application versions prior to 8.6.2. Action: Update your UniFi Network Application to the latest version. Sentinel Nerd monitors controller versions and will alert you if you’re running a vulnerable version.
Recommendations
Based on January’s threat data, we recommend:
- Review SSH access — Disable password authentication, use key-only login, and limit SSH access to management VLAN
- Segment IoT devices — If you haven’t already, create a dedicated IoT VLAN with restricted access
- Monitor DNS patterns — Enable DNS query logging and set up detection rules for tunneling indicators
- Update firmware — Ensure all UniFi devices are on the latest firmware. Check controller version for CVE-2024-45200
- Review firewall rules — Audit your rules quarterly. Remove any rules that are too permissive
- Enable Active Response — For SSH brute force, automated blocking significantly reduces exposure
- Check your backups — Verify controller backups are current. Test a restore procedure
Methodology
This report is based on anonymized, aggregated data from Sentinel Nerd deployments that have opted into threat intelligence sharing. We analyze:
- Syslog data from UniFi Network controllers
- IDS/IPS alert metadata
- Threat intelligence enrichment from AbuseIPDB and VirusTotal
- Network flow data (metadata only, not payload content)
Individual deployment data is never shared or identifiable. All analysis is performed on aggregated statistics.
The February 2025 threat landscape report will be published in early March. To ensure your network is represented in our data (and to benefit from our collective threat intelligence), enable threat sharing in Settings > Privacy > Threat Intelligence Sharing.
Questions about this report? Contact us at research@sentinelnerd.com.