109.95.121.70

Summary (Bottom Line Up Front)

Russian-origin IP address 109.95.121.70 conducted sustained SMB reconnaissance targeting organizational networks over a 23-day period from February 25 to March 20, 2026, generating 143 security events. The activity primarily leveraged vulnerable SMBv1 protocol for network enumeration and represents HIGH risk due to potential follow-on exploitation of legacy SMB implementations. Organizations should immediately audit SMB configurations and disable SMBv1 protocol across all network segments.

Modbus SMB TCP TCP/SYN auto smb
SMB AI_DETECTED
Activity Timeline
UPDATE 32026-03-24T06:29:29Z
Source: Analyst Manual Entry
Russian-origin IP address 109.95.121.70 conducted sustained SMB reconnaissance targeting organizational networks over a 23-day period from February 25 to March 20, 2026, generating 143 security events. The activity primarily leveraged vulnerable SMBv1 protocol for network enumeration and represents HIGH risk due to potential follow-on exploitation of legacy SMB implementations. Organizations should immediately audit SMB configurations and disable SMBv1 protocol across all network segments.
New findings
The threat actor conducted reconnaissance operations targeting SMB services (port 445) using deprecated SMBv1 protocol with NTLM authentication mechanisms. Activity patterns indicate systematic network enumeration consistent with MITRE technique T1021.002 (SMB/Windows Admin Shares). The campaign generated 143 events across 2 unique destination ports, with payload analysis revealing SMBv1 negotiation attempts including "NT LM 0.12" dialect strings and vulnerable protocol signatures (ff534d42720000000018014800000000). AI-powered detection systems flagged legacy dialect negotiation patterns with 85% confidence, indicating sophisticated evasion attempts targeting known SMBv1 vulnerabilities including EternalBlue exploit family. The sustained 23-day operational window suggests persistent threat actor interest in SMB-accessible infrastructure.
Recommendations
  • Block traffic from 109.95.121.70 at network perimeter and monitor for additional Russian ASN ranges conducting similar SMB reconnaissance
  • Immediately disable SMBv1 protocol on all Windows systems and network devices, migrating to SMBv2/v3 implementations
  • Implement network segmentation to restrict SMB traffic to authorized administrative subnets only
  • Deploy enhanced monitoring for SMB protocol anomalies, particularly legacy dialect negotiation attempts and unusual NTLM authentication patterns
  • Conduct urgent vulnerability assessment of all SMB-enabled systems to identify potential EternalBlue and related SMBv1 exploit exposure
UPDATE 22026-03-23T07:41:42Z
Source: Analyst Manual Entry
Russian IP address 109.95.121.70 conducted sustained SMB reconnaissance activity over a 23-day period, generating 140 security events targeting legacy SMBv1 protocols. This represents MEDIUM-risk reconnaissance activity that could precede exploitation attempts against vulnerable SMB services. Network defenders should immediately audit SMB exposure and disable SMBv1 where possible.
New findings
  • Source: 109.95.121.70 (AS43661 OOO Kip Konnect, Russia)
  • Campaign Duration: February 25, 2026 14:00 - March 20, 2026 13:00 (23 days)
  • Attack Volume: 140 events across 2 unique destination ports
  • Primary Protocol: SMBv1 (NT LM 0.12 dialect negotiation)
  • MITRE Technique: T1135 (Network Share Discovery)
  • Kill Chain Phase: Reconnaissance
  • Key Patterns: SMBv1 detection (38 hits), SMB usage enumeration (8 hits), NTLM authentication attempts (6 hits), NTLM negotiation (6 hits)
  • IOC: 109.95.121.70
Recommendations
  • Immediately inventory and disable SMBv1 protocol on all Windows systems and network devices
  • Implement network segmentation to restrict SMB traffic (ports 445/139) to authorized systems only
  • Deploy enhanced monitoring for SMB protocol anomalies and legacy protocol usage
  • Review firewall rules to block unnecessary SMB exposure to external networks
  • Conduct vulnerability assessment focusing on SMB-related CVEs including EternalBlue variants
UPDATE 12026-03-14T17:52:02Z
Source: batch_hunting
Russian IP address 109.95.121.70 conducted sustained SMB reconnaissance activity over 15 days, generating 109 security events targeting legacy SMBv1 protocol services. This activity represents MEDIUM-confidence reconnaissance that could precede exploitation attempts against vulnerable SMB services. Organizations should immediately audit and disable SMBv1 across their networks.
New findings
  • Source: 109.95.121.70 (Russia, ASN unknown)
  • Timeline: February 25, 2026 14:00 - March 12, 2026 08:00 (15-day campaign)
  • Volume: 109 events across 2 unique destination ports
  • Protocols: SMBv1, Modbus, TCP reconnaissance
  • Primary Technique: T1135 (Network Share Discovery)
  • Attack Patterns: SMBv1 protocol negotiation (29 hits), legacy NTLM authentication attempts (11 hits)
  • Kill Chain Phase: Reconnaissance
  • Key IOC: 109.95.121.70
Recommendations
  • Immediately block IP 109.95.121.70 at network perimeter and update threat intelligence feeds
  • Audit all Windows systems and disable SMBv1 protocol across the enterprise environment
  • Monitor SMB traffic for unusual authentication attempts and legacy protocol usage patterns
  • Implement network segmentation to limit SMB service exposure to untrusted networks
  • Deploy enhanced logging for SMB services and review recent connection attempts for similar reconnaissance activity
INITIAL REPORT2026-03-10T15:10:08Z
Source: Analyst Manual Entry
Russian IP address 109.95.121.70 conducted sustained SMB reconnaissance over a 13-day period, targeting legacy SMBv1 protocol implementations with 82 recorded events. This activity represents medium-risk reconnaissance that could precede exploitation attempts against vulnerable SMB services. Network defenders should immediately audit SMB exposure and disable SMBv1 where possible.
Technical details
  • Source: 109.95.121.70 (Russian IP space, first observed 2026-02-25 14:00, last seen 2026-03-10 08:00)
  • Attack Vector: SMB protocol enumeration targeting 2 unique destination ports over 13-day campaign
  • Primary Techniques: SMBv1 protocol negotiation using legacy NT LM 0.12 dialect (MITRE T1135 - Network Share Discovery)
  • Attack Patterns: 23 SMBv1 detection events, 8 SMBv1 usage attempts, NTLM authentication probes
  • Assessment: Medium confidence reconnaissance activity with potential for follow-on exploitation of SMBv1 vulnerabilities including EternalBlue-class attacks
  • IOC: 109.95.121.70
IOCs
IP:109.95.121.70
COUNTRY:RU
Recommendations
  • Immediately block 109.95.121.70 at network perimeter and monitor for additional Russian IP ranges conducting similar reconnaissance
  • Audit all SMB services exposed to internet and disable SMBv1 protocol on all Windows systems and file shares
  • Implement network segmentation to isolate SMB services from external access and require VPN authentication for remote file access
  • Deploy enhanced monitoring for SMB protocol anomalies, particularly legacy protocol negotiation attempts and unusual authentication patterns
  • Conduct vulnerability assessment of all SMB-enabled systems to identify potential EternalBlue and related SMBv1 exploit vectors
Threat Assessment
Threat Level HIGH
AI Verdict HIGH
Confidence 85%
Total Events 116
AbuseIPDB 0/100
Indicators of Compromise
ip 109.95.121.70
country RU
Captured Payloads (2)
high AI_DETECTED Modbus:None 
ESMBrH"NT LM 0.12
medium SMB smb:445 
SMBv1 protocol detected (vulnerable): ff534d42720000000018014800000000