Summary (Bottom Line Up Front)
External threat actor at 118.107.1.174 (Hong Kong/AS152194) conducted sustained SMB reconnaissance targeting legacy protocol implementations over 15-day period ending March 6, 2026. Assessment: HIGH threat level with 78% confidence based on SMBv1 exploitation attempts and 100/100 AbuseIPDB reputation score. Immediate action required to audit and disable legacy SMB services on network perimeter.
Activity Timeline
INITIAL REPORT2026-03-15T09:17:22Z
Source: Analyst Manual Entry
External threat actor at 118.107.1.174 (Hong Kong/AS152194) conducted sustained SMB reconnaissance targeting legacy protocol implementations over 15-day period ending March 6, 2026. Assessment: HIGH threat level with 78% confidence based on SMBv1 exploitation attempts and 100/100 AbuseIPDB reputation score. Immediate action required to audit and disable legacy SMB services on network perimeter.
Technical details
Threat actor leveraged multiple protocols (Modbus, SMB, TCP) with focus on SMBv1 protocol negotiation attacks mapped to MITRE T1021.002 (SMB/Windows Admin Shares). Attack volume totaled 20 events across 2 unique destination ports from February 19-March 6, 2026. Source infrastructure exhibits botnet characteristics with open services on ports 80, 3306, 5985, and 8009. Primary attack patterns include SMBv1 usage detection (4 hits) and legacy SMB protocol exploitation (2 hits). IOC: 118.107.1.174 (CTG Server Ltd./Tseung Kwan O, HK).
IOCs
IP:118.107.1.174
ASN:152194
COUNTRY:HK
Recommendations
- Immediately block 118.107.1.174 at network perimeter and monitor for additional AS152194 infrastructure
- Audit all SMBv1 implementations and disable legacy SMB protocols where operationally feasible
- Implement enhanced monitoring for T1021.002 lateral movement techniques across Windows infrastructure
- Review firewall rules to restrict SMB traffic (ports 445, 139) to authorized internal networks only
- Correlate internal logs for any successful SMB authentication attempts during February 19-March 6 timeframe