Summary (Bottom Line Up Front)
External threat actor at 154.0.30.234 (Côte d'Ivoire/AS37190) conducted extensive SMBv1 reconnaissance against network infrastructure over 18-day period ending March 5, 2026 21:00 UTC. Assessment: HIGH threat level with 85% confidence based on 60,881 events targeting legacy SMB protocols vulnerable to critical exploits including EternalBlue-class attacks. Immediate SMBv1 disabling and network segmentation required.
Activity Timeline
UPDATE 12026-03-10T14:17:00Z
Source: Analyst Manual Entry
External threat actor at 154.0.30.234 (Côte d'Ivoire/AS37190) conducted extensive SMBv1 reconnaissance against network infrastructure over 18-day period ending March 5, 2026 21:00 UTC. Assessment: HIGH threat level with 85% confidence based on 60,881 events targeting legacy SMB protocols vulnerable to critical exploits including EternalBlue-class attacks. Immediate SMBv1 disabling and network segmentation required.
New findings
Threat actor leveraged multiple protocols (EtherNet/IP, Modbus, SMB, TCP) in reconnaissance phase targeting 2 unique destination ports. Primary attack vectors included SMBv1 protocol negotiation attempts (20,593 events) and legacy NT LM 0.12 dialect enumeration (11,710 events). Activity maps to MITRE T1046 (Network Service Scanning) within reconnaissance kill chain phase. Source infrastructure shows no current abuse reputation (AbuseIPDB: 0/100) with open services on ports 22, 80, 2222, 8443. IOC: 154.0.30.234 (Atlantique Telecom Côte d'Ivoire/AS37190).
Recommendations
- Immediately disable SMBv1 protocol across all Windows systems and network shares
- Implement network segmentation to isolate critical infrastructure from external SMB access
- Deploy enhanced monitoring for SMB traffic anomalies and legacy protocol usage
- Block source IP 154.0.30.234 and consider ASN-level filtering for AS37190 if operationally feasible
- Conduct vulnerability assessment focusing on SMB-exposed systems and apply EternalBlue patches
INITIAL REPORT2026-03-10T11:57:00Z
Source: Analyst Manual Entry
Malicious activity detected from 154.0.30.234 (CI, AS37190). 56492 events observed across EtherNet/IP, Modbus, SMB, TCP, TCP/SYN. AI verdict: UNKNOWN.
Technical details
Protocols: EtherNet/IP, Modbus, SMB, TCP, TCP/SYN, auto, smb
Attack types: SMB
Unique destination ports: 2
Active window: 2026-02-15 14:03:15.137764 to 2026-03-05 21:44:40.054776
Top patterns: smb_smb1_usage, smb1_detected
IOCs
IP:154.0.30.234
ASN:37190
COUNTRY:CI
Recommendations
- Block 154.0.30.234 at perimeter firewall
- Monitor other traffic from AS37190
- Review correlated attacker profiles for campaign links