167.172.64.18

Summary (Bottom Line Up Front)

Automated reconnaissance scanning targeting Kubernetes kubelet API port 10250 observed from Singapore-based IP 167.172.64.18 on 2026-03-04 at 23:00 hours. Assessment indicates MEDIUM threat level with potential for cluster enumeration leading to container escape or compromise if kubelet APIs are misconfigured. Organizations running Kubernetes clusters should immediately verify kubelet API security configurations and implement enhanced monitoring.

TCP TCP/SYN TLS TLS/1.0 https

SCANNER

Activity Timeline

INITIAL REPORT2026-03-23T13:22:06Z

Source: Analyst Manual Entry

Technical details

Attack Vector: TCP/HTTPS reconnaissance scan targeting port 10250 using Go HTTP client user agent across 14 events within a 1-second timeframe. MITRE Technique: T1595.002 (Active Scanning: Vulnerability Scanning) during reconnaissance phase. Source Attribution: 167.172.64.18 (Singapore, AbuseIPDB score 49/100, no VPN detected). Attack Pattern: Automated scanner behavior consistent with Kubernetes cluster discovery and potential kubelet API enumeration. IOCs: Go-http-client user agent string, targeted port 10250/HTTPS communications, concentrated burst scanning pattern.

IOCs

IP:167.172.64.18

COUNTRY:SG

Recommendations

Audit all Kubernetes kubelet configurations to ensure authentication is enabled (--anonymous-auth=false) and authorization is properly configured
Implement network segmentation to restrict kubelet API access (port 10250) to authorized management networks only
Deploy monitoring rules to detect unauthorized access attempts against kubelet APIs and other Kubernetes control plane components
Review firewall rules to block external access to Kubernetes management ports (10250, 6443, 2379-2380) from untrusted networks
Conduct immediate security assessment of any internet-facing Kubernetes infrastructure to identify potential exposure risks

medium SCANNER https:10250

Go-http-client