109.95.207.187

Summary (Bottom Line Up Front)

Our sensors detected reconnaissance activity from IP [SENSOR-IP] (Poland/AS50584) targeting Fortinet login interfaces on March 11, 2026 between 19:00-21:00 UTC. The activity represents low-to-medium risk reconnaissance behavior with 51 events over a 15-minute window. Network defenders should monitor for follow-on exploitation attempts against Fortinet devices.

HTTP TCP TCP/SYN TLS TLS/1.2+ https

FORTI_RECON

Activity Timeline

INITIAL REPORT2026-03-14T17:54:56Z

Source: batch_hunting

Technical details

The threat actor conducted reconnaissance operations from [SENSOR-IP], a Polish IP address registered to DOMINET Sp. z o.o. (AS50584). Activity spanned multiple protocols including HTTP, HTTPS, TCP, and TLS 1.2+, targeting 4 unique destination ports. The attacker probed open services on ports 22, 6443, 8000, 8080, and 44818, with primary focus on Fortinet device login page enumeration. Attack pattern classification: FORTI_RECON with medium severity rating. The source IP currently shows 0/100 AbuseIPDB reputation score and lacks reverse DNS resolution. Activity aligns with MITRE ATT&CK T1595 (Active Scanning) reconnaissance phase.

IOCs

IP:[SENSOR-IP]

ASN:50584

COUNTRY:PL

Recommendations

Block IP [SENSOR-IP] at network perimeter and monitor for additional reconnaissance from AS50584 netblocks
Review Fortinet device access logs for authentication attempts and implement additional access controls if exposed to internet
Enable enhanced logging on ports 22, 6443, 8000, and 8080 to detect follow-on exploitation attempts
Implement network segmentation to limit exposure of management interfaces to untrusted networks
Monitor for lateral movement indicators if any Fortinet devices were successfully compromised during this timeframe