Summary (Bottom Line Up Front)
High-volume RDP scanning activity detected from 149.50.96.56 (Warsaw, Poland) targeting network infrastructure over 20-hour period from April 4-5, 2026. Assessment indicates automated reconnaissance with medium threat level due to scan volume but low sophistication. Recommend standard RDP hardening measures and monitoring for follow-on activity.
Activity Timeline
INITIAL REPORT2026-04-05T10:31:50Z
Source: Analyst Manual Entry
High-volume RDP scanning activity detected from 149.50.96.56 (Warsaw, Poland) targeting network infrastructure over 20-hour period from April 4-5, 2026. Assessment indicates automated reconnaissance with medium threat level due to scan volume but low sophistication. Recommend standard RDP hardening measures and monitoring for follow-on activity.
Technical details
Source IP 149.50.96.56 (AS201814 MEVSPACE, AbuseIPDB score 78/100) conducted 43,497 scanning events primarily targeting RDP services. Attack pattern analysis identified 32,589 x224_request RDP scan attempts representing standard reconnaissance behavior. Multiple protocols observed including BACnet, Diameter, EtherNet/IP, RDP, and SIP suggesting broad network service enumeration. Source system fingerprinted as Windows Server 2022 with exposed services on ports 135, 445, 3389, and 5985. Activity maps to MITRE T1018 (Remote System Discovery) and T1021.001 (Remote Desktop Protocol). No exploit attempts or custom tooling identified, consistent with opportunistic scanning rather than targeted intrusion.
IOCs
IP:149.50.96.56
ASN:201814
COUNTRY:PL
Recommendations
- Implement network-level blocking of 149.50.96.56 and monitor for additional scanning from AS201814 address space
- Review and harden RDP configurations including disabling unnecessary RDP access, implementing network-level authentication, and restricting access to authorized IP ranges
- Deploy enhanced logging and alerting for RDP connection attempts, particularly focusing on failed authentication events and connections from foreign IP addresses
- Conduct audit of exposed RDP services across the network perimeter and disable or relocate services where remote access is not required
- Monitor for potential follow-on activity including credential stuffing, brute force attacks, or lateral movement attempts within 72 hours of initial scanning