UPDATE 22026-03-21T14:59:30Z

Source: Analyst Manual Entry

Threat actor at 165.154.104.88 (Vietnam/UCLOUD) conducted low-severity reconnaissance targeting Kubernetes dashboard resources over a 15-minute window on 2026-03-13 19:00-20:00 UTC. Assessment indicates automated scanning activity with medium-confidence targeting of container orchestration infrastructure. Recommend enhanced monitoring of Kubernetes endpoints and implementation of dashboard access controls.

New findings

Source IP 165.154.104.88 generated 46 events across HTTP/HTTPS protocols using TLS 1.0, targeting single destination port with focus on Kubernetes dashboard access attempts (8 instances) and general scanning behavior (3 instances). Activity maps to MITRE T1595.002 (Active Scanning: Vulnerability Scanning) within reconnaissance phase of cyber kill chain. Attacker utilized Go HTTP client user agent suggesting automated tooling rather than manual exploitation attempts. AbuseIPDB reputation score of 100/100 indicates previously reported malicious activity from this infrastructure.

Recommendations

UPDATE 12026-03-14T17:41:39Z

Source: batch_hunting

A critical threat actor operating from Vietnamese cloud infrastructure (165.154.104.88) conducted 46 targeted attacks against Kubernetes environments over a 15-minute window on 2026-03-13 19:00-20:00 UTC. The attacker specifically targeted Kubernetes dashboard interfaces with scanning reconnaissance, indicating potential APT-level sophistication. Immediate Kubernetes security hardening and monitoring enhancement is recommended.

New findings

The threat actor leveraged HTTP/HTTPS protocols with TLS 1.0 encryption to conduct reconnaissance and exploitation attempts. Primary attack vectors included Kubernetes dashboard access attempts (8 instances) and automated scanning with bot user agents (3 instances). The concentrated attack timeframe and specific targeting of container orchestration platforms suggests reconnaissance for lateral movement or privilege escalation opportunities. The source IP maintains a maximum AbuseIPDB reputation score (100/100) and originates from UCLOUD INFORMATION TECHNOLOGY HK LIMITED (AS135377) infrastructure in Vietnam. Attack patterns align with MITRE ATT&CK techniques T1613 (Container and Resource Discovery) and T1595 (Active Scanning).

Recommendations

INITIAL REPORT2026-03-14T08:40:43Z

Source: Analyst Manual Entry

Internet-facing sensors observed a Vietnam-based threat actor (165.154.104.88) conducting targeted Kubernetes infrastructure reconnaissance and automated scanning activities over a 15-minute window on 2026-03-13. The actor demonstrated HIGH threat level behavior through focused exploitation attempts against container orchestration platforms and systematic service enumeration. Activity patterns indicate an automated threat actor with specific interest in cloud-native infrastructure components.

Technical details

The threat actor operated from ASN AS135377 (UCLOUD INFORMATION TECHNOLOGY HK LIMITED) utilizing multiple protocols including HTTP, HTTPS, TCP, and legacy TLS/1.0 implementations. Primary attack vectors focused on Kubernetes Dashboard access attempts (MITRE T1190 - Exploit Public-Facing Application) with 8 distinct exploitation events targeting container management interfaces. Secondary reconnaissance activities employed automated scanning techniques (MITRE T1046 - Network Service Scanning) with 3 instances of bot-based user agent enumeration. The actor concentrated all malicious traffic against a single destination port, indicating targeted rather than opportunistic scanning behavior. Traffic analysis revealed the use of both encrypted (TLS/1.0, HTTPS) and plaintext (HTTP) protocols, suggesting attempts to evade detection through protocol diversification.

IOCs