Summary (Bottom Line Up Front)
A suspicious IP address (130.12.180.65) from Germany has been observed conducting reconnaissance and potential exploitation attempts targeting TCP port 5555 associated with Android Debug Bridge (ADB). The threat level is assessed as MEDIUM, indicating a need for network defenders to investigate and mitigate exposure of ADB services. ###
Activity Timeline
INITIAL REPORT2026-05-17T06:18:43Z
Source: Analyst Manual Entry
A suspicious IP address (130.12.180.65) from Germany has been observed conducting reconnaissance and potential exploitation attempts targeting TCP port 5555 associated with Android Debug Bridge (ADB). The threat level is assessed as MEDIUM, indicating a need for network defenders to investigate and mitigate exposure of ADB services.
Technical details
Suricata detected high-volume reconnaissance activities using the CINS threat-intel signature (sid 2403480) on TCP port 5555. The attacker's IP is associated with poor reputation indicators, but no exploit payloads were captured. MITRE ATT&CK technique T1595 was mapped to this activity, indicating reconnaissance efforts. Key protocols involved include ADB and TCP/SYN.
IOCs
IP:130.12.180.65
COUNTRY:DE
Recommendations
- Disable or restrict access to ADB services on port 5555 unless necessary.
- Conduct a network scan for any exposed devices or systems using port 5555.
- Review and update firewall rules to block traffic from suspicious IP addresses.
- Monitor logs and alerts for further reconnaissance activities targeting this port.
- Educate staff about the risks of exposing ADB services to the internet.