1.192.212.177

Summary (Bottom Line Up Front)

Threat actor operating from Chinese CHINANET infrastructure (1.192.212.177) conducted sustained automated credential capture attacks against Telnet services over an 8-day period in April 2026. Assessment: LOW threat level representing opportunistic scanning activity with no novel techniques observed. Recommended action: Standard credential security hardening and service exposure review.

TCP TCP/SYN TELNET Telnet

CREDENTIAL_CAPTURE

Activity Timeline

UPDATE 12026-04-09T05:30:17Z

Source: Analyst Manual Entry

New findings

Source: 1.192.212.177 (Zhengzhou, CN / AS4134 CHINANET Henan Province)
Campaign Duration: April 1-9, 2026 (8 days of sustained activity)
Attack Volume: 1,689 events targeting single destination port via TCP/Telnet protocols
Primary Technique: Automated credential capture attempts (714 total authentication events)
MITRE Mapping: T1110 (Brute Force) - credential stuffing/password spraying against Telnet services
IOCs: Open ports 22 (SSH) and 10023 suggest multi-protocol credential harvesting capability
Threat Assessment: High-confidence automated tooling (AbuseIPDB score 100/100) with no zero-day or advanced persistent threat indicators

Recommendations

Implement network-level blocking for source IP 1.192.212.177 and monitor for additional CHINANET AS4134 scanning activity
Audit and disable unnecessary Telnet services; migrate legacy systems to SSH with key-based authentication where possible
Deploy rate limiting and account lockout policies for all remote access services to mitigate brute force attempts
Enable enhanced logging for authentication events on ports 22, 23, and non-standard Telnet implementations
Conduct credential hygiene review focusing on default/weak passwords on network infrastructure devices

INITIAL REPORT2026-04-07T18:25:12Z

Source: Analyst Manual Entry

Threat intelligence sensors detected sustained telnet brute force activity from IP address 1.192.212.177 (China Telecom/CHINANET Henan) conducting credential enumeration attacks over a six-day period in April 2026. This represents a MEDIUM severity threat with 1,689 recorded events targeting telnet services using automated tooling for credential capture. Organizations should immediately audit telnet service exposure and implement access controls to mitigate unauthorized access attempts.

Technical details

The attacking host 1.192.212.177 originated from AS4134 (CHINANET Henan Province Network) in Zhengzhou, China, with a maximum AbuseIPDB reputation score of 100/100. Attack activity spanned from April 1st 21:00 to April 7th 20:00, generating 1,689 total events across TCP and telnet protocols. The threat actor employed MITRE technique T1110.001 (Password Brute Force: Password Guessing) during the Exploitation phase of the kill chain, executing 378 authentication retry attempts and 189 direct authentication attempts. The campaign focused on credential capture through automated brute force tooling, specifically targeting empty username/password combinations and default credentials on exposed telnet services running on standard and non-standard ports.

IOCs

IP:1.192.212.177

ASN:4134

COUNTRY:CN

Recommendations

Block IP address 1.192.212.177 and monitor for additional activity from AS4134 CHINANET Henan network ranges
Conduct immediate inventory of telnet services (port 23 and non-standard ports like 10023) and disable unnecessary telnet access
Implement network segmentation and firewall rules to restrict telnet access to authorized management networks only
Deploy fail2ban or similar intrusion prevention systems to automatically block hosts after multiple failed authentication attempts
Replace telnet with SSH for remote administration and enforce strong authentication policies including multi-factor authentication where possible