Most of the scanner IP came from Argentina: about 65.7k unique scanners from Argentina in less than a single day, almost 100k in last 60 hours. Two new credentials admin/CentryL1nk and admin/QwestM0dem are now actively being used. The abuse of these two credentials began at around 2017-11-22 11:00, and reached its peak during the daytime. The IP overlap together with the time span match, make us believe this is the root cause.”]