Summary (Bottom Line Up Front)
A single threat actor (152.32.149.19) conducted targeted reconnaissance against Fortinet infrastructure on March 4, 2026, between 17:00-18:00 UTC, generating 148 malicious events focused on FortiGate device enumeration and login page discovery. The activity represents a MEDIUM threat level indicating preparation for potential exploitation of network security appliances. Organizations operating Fortinet devices should immediately review access controls and monitoring for their perimeter security infrastructure.
Activity Timeline
UPDATE 12026-03-22T08:24:37Z
Source: Analyst Manual Entry
A single threat actor (152.32.149.19) conducted targeted reconnaissance against Fortinet infrastructure on March 4, 2026, between 17:00-18:00 UTC, generating 148 malicious events focused on FortiGate device enumeration and login page discovery. The activity represents a MEDIUM threat level indicating preparation for potential exploitation of network security appliances. Organizations operating Fortinet devices should immediately review access controls and monitoring for their perimeter security infrastructure.
New findings
The attacker leveraged HTTPS protocols (TLS 1.0, TLS 1.2+) across TCP connections targeting two unique destination ports. Primary attack vectors included FortiGate unknown path probing (3 instances) and login page reconnaissance (1 instance), consistent with MITRE ATT&CK techniques T1590.001 (Gather Victim Network Information: Domain Properties) and T1595.002 (Active Scanning: Vulnerability Scanning). The source IP 152.32.149.19 originates from UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED (AS135377) with a maximum AbuseIPDB reputation score of 100/100, indicating confirmed malicious activity. Attack patterns suggest systematic enumeration of Fortinet administrative interfaces preparatory to credential attacks or exploit attempts.
Recommendations
- Block IP address 152.32.149.19 and monitor for additional reconnaissance from AS135377 network ranges
- Audit all FortiGate administrative interface access controls and ensure management interfaces are not exposed to untrusted networks
- Enable enhanced logging on Fortinet devices and implement alerting for repeated authentication failures or administrative path enumeration
- Conduct immediate review of FortiGate firmware versions and apply latest security patches for known vulnerabilities
- Implement network segmentation to isolate security appliance management interfaces from internet-accessible networks
INITIAL REPORT2026-03-14T12:34:56Z
Source: Analyst Manual Entry
Internet-facing sensors observed a cloud-hosted actor conducting targeted reconnaissance against Fortinet infrastructure over a 28-minute period on 2026-03-04. The actor generated 148 events between 17:00-18:00 hours, demonstrating focused probing behavior against FortiGate devices with medium-severity exploitation attempts. Activity patterns indicate automated tooling with specific intent to identify and potentially compromise Fortinet security appliances.
Technical details
The actor operated from IP 152.32.149.19 (AS135377 UCLOUD INFORMATION TECHNOLOGY) and targeted 2 unique destination ports using multiple protocols including TCP, TLS 1.0, TLS 1.2+, and HTTPS. Observed attack techniques mapped to MITRE ATT&CK T1595.002 (Active Scanning: Vulnerability Scanning) and T1190 (Exploit Public-Facing Application). Traffic analysis revealed FORTI_PROBE attacks targeting unknown FortiGate paths (3 instances) and FORTI_RECON activity against FortiGate login interfaces (1 instance). The source system presented only SSH (port 22) as an exposed service and maintained a maximum AbuseIPDB reputation score of 100/100, indicating consistent malicious behavior. No reverse DNS resolution was available for the attacking infrastructure.
IOCs
IP:152.32.149.19
ASN:135377
COUNTRY:US