Summary (Bottom Line Up Front)
Russian-origin IP address 151.252.80.124 conducted sustained SMBv1 reconnaissance activity over a 7-hour period on March 2, 2026, generating 2,407 connection attempts. This represents HIGH-risk activity due to SMBv1's critical vulnerabilities that enable remote code execution. Organizations should immediately audit SMB exposure and implement protective measures.
Activity Timeline
INITIAL REPORT2026-03-18T00:05:23Z
Source: Analyst Manual Entry
Russian-origin IP address 151.252.80.124 conducted sustained SMBv1 reconnaissance activity over a 7-hour period on March 2, 2026, generating 2,407 connection attempts. This represents HIGH-risk activity due to SMBv1's critical vulnerabilities that enable remote code execution. Organizations should immediately audit SMB exposure and implement protective measures.
Technical details
- Source: 151.252.80.124 (Russian Federation, ASN unknown)
- Activity Window: March 2, 2026, 11:00 - 18:00 UTC (7 hours)
- Volume: 2,407 events targeting single destination port
- Protocols: SMBv1 protocol negotiation attempts
- MITRE Technique: T1046 (Network Service Scanning)
- Kill Chain Phase: Reconnaissance
- Attack Patterns: SMBv1 detection signatures triggered 780 times across scanning attempts
- Risk Assessment: HIGH confidence (85%) due to targeting of vulnerability-prone SMBv1 services
IOCs
IP:151.252.80.124
COUNTRY:RU
Recommendations
- Immediately inventory and disable SMBv1 protocol across all Windows systems and network devices
- Block inbound SMB traffic (ports 139, 445) at network perimeters unless business-critical
- Deploy network segmentation to isolate systems requiring SMB functionality
- Monitor for SMB-based lateral movement indicators following reconnaissance activity
- Apply latest security patches for SMB-related vulnerabilities including MS17-010 (EternalBlue)