Summary (Bottom Line Up Front)
Vietnamese-origin IP address 152.32.249.95 conducted focused MQTT protocol reconnaissance against IoT infrastructure on March 14, 2026, employing subscription-based enumeration techniques over a 32-minute window. Assessment indicates MEDIUM threat level with potential for IoT device compromise and data exfiltration. Immediate MQTT security hardening and monitoring enhancement recommended.
Activity Timeline
INITIAL REPORT2026-03-14T17:36:19Z
Source: batch_hunting
Vietnamese-origin IP address 152.32.249.95 conducted focused MQTT protocol reconnaissance against IoT infrastructure on March 14, 2026, employing subscription-based enumeration techniques over a 32-minute window. Assessment indicates MEDIUM threat level with potential for IoT device compromise and data exfiltration. Immediate MQTT security hardening and monitoring enhancement recommended.
Technical details
- Source: 152.32.249.95 (Ho Chi Minh City, VN / AS135377 UCLOUD INFORMATION TECHNOLOGY)
- Timeline: March 14, 2026, 12:00-13:00 UTC (32-minute active period)
- Attack Vector: MQTT protocol exploitation with 43 total events
- Techniques: Wildcard subscription enumeration, system topic reconnaissance, binary payload injection
- MITRE ATT&CK: T1046 (Network Service Scanning), T1040 (Network Sniffing)
- Protocols Observed: MQTT, TLS 1.0, TCP/SYN scanning
- Threat Indicators: AbuseIPDB score 100/100, SSH port exposure, historical malicious flagging
- IOCs: 152.32.249.95
IOCs
IP:152.32.249.95
ASN:135377
COUNTRY:VN
Recommendations
- Implement MQTT access control lists (ACLs) restricting wildcard subscriptions and system topic access
- Deploy network segmentation isolating MQTT brokers from critical infrastructure
- Enable comprehensive MQTT broker logging with focus on subscription patterns and binary payloads
- Block traffic from AS135377 UCLOUD INFORMATION TECHNOLOGY pending further analysis
- Audit existing IoT device configurations for default credentials and unnecessary MQTT topic exposure