Summary (Bottom Line Up Front)
A Windows Server 2012 host originating from Chilean telecommunications infrastructure conducted SMBv1 protocol reconnaissance against network sensors over a 49-hour period from March 5-7, 2026. The activity represents MEDIUM threat level reconnaissance operations targeting legacy SMB services. The actor demonstrated focused scanning behavior with 24 total events across 2 unique destination ports.
Activity Timeline
UPDATE 12026-03-14T16:21:49Z
Source: Analyst Manual Entry
A Windows Server 2012 host originating from Chilean telecommunications infrastructure conducted SMBv1 protocol reconnaissance against network sensors over a 49-hour period from March 5-7, 2026. The activity represents MEDIUM threat level reconnaissance operations targeting legacy SMB services. The actor demonstrated focused scanning behavior with 24 total events across 2 unique destination ports.
New findings
The threat actor utilized deprecated SMBv1 protocol negotiation attempts against target infrastructure. Traffic analysis revealed consistent SMB protocol abuse patterns, specifically legacy SMBv1 usage which exposes targets to critical vulnerabilities including MS17-010 (EternalBlue) exploitation vectors. The activity maps to MITRE ATT&CK technique T1046 (Network Service Scanning) within the Reconnaissance phase of the cyber kill chain. No active exploit payloads were observed, indicating the activity remained in the discovery phase. Key indicators include source IP 164.77.85.244 operating from ASN AS27651 (ENTEL CHILE S.A.) with an AbuseIPDB reputation score of 100/100. The host presented an exposed attack surface with ports 80, 1433, 3389, and 5985 accessible, suggesting a potentially compromised Windows Server 2012 system being leveraged for reconnaissance operations.
INITIAL REPORT2026-03-10T15:05:42Z
Source: Analyst Manual Entry
A Windows Server 2012 host at 164.77.85.244 (ENTEL CHILE S.A.) conducted SMB reconnaissance activities over a 48-hour period from March 5-7, 2026, attempting deprecated SMBv1 protocol negotiations. This activity represents medium-risk reconnaissance likely targeting vulnerable SMB services for potential EternalBlue-style exploitation. Network defenders should immediately block this IP and audit SMB service exposure.
Technical details
The threat actor conducted 24 reconnaissance events using SMBv1 protocol against multiple targets, indicating systematic enumeration of network services. Primary attack patterns included SMBv1 detection attempts (10 instances) and legacy SMB usage probes (2 instances), mapping to MITRE technique T1046 (Network Service Scanning). The source system exhibits high-risk indicators including a 100/100 AbuseIPDB reputation score and exposed services on ports 80, 1433, 3389, and 5985. While no active exploits were observed, the focus on deprecated SMBv1 suggests preparation for EternalBlue (CVE-2017-0144) or similar SMB-based attacks.
IOCs
IP:164.77.85.244
ASN:27651
COUNTRY:CL
Recommendations
- Block IP address 164.77.85.244 at network perimeter and consider blocking the entire ASN AS27651 if operationally feasible
- Audit all SMB services for SMBv1 exposure and disable SMBv1 protocol on all Windows systems immediately
- Review firewall rules to ensure SMB ports (445, 139) are not exposed to external networks
- Deploy network monitoring for SMB reconnaissance patterns and implement rate limiting on SMB connection attempts
- Conduct vulnerability assessment focusing on SMB services and apply latest security patches for SMB-related CVEs