Summary (Bottom Line Up Front)
IP address 167.94.138.120 conducted a focused 4-hour reconnaissance campaign on March 12, 2026, targeting Kubernetes infrastructure with 172 attack events combining automated scanning and API enumeration techniques. The activity demonstrates medium-severity threat characteristics with potential APT-like diversification of tactics. Immediate hardening of Kubernetes API endpoints and enhanced monitoring of container orchestration platforms is recommended.
Activity Timeline
INITIAL REPORT2026-03-14T17:52:28Z
Source: batch_hunting
IP address 167.94.138.120 conducted a focused 4-hour reconnaissance campaign on March 12, 2026, targeting Kubernetes infrastructure with 172 attack events combining automated scanning and API enumeration techniques. The activity demonstrates medium-severity threat characteristics with potential APT-like diversification of tactics. Immediate hardening of Kubernetes API endpoints and enhanced monitoring of container orchestration platforms is recommended.
Technical details
The threat actor operated from a US-based IP with no identifiable ASN, conducting attacks between 05:00-06:00 hours using TCP, TLS 1.0/1.2+, and HTTPS protocols against a single destination port. Primary attack vectors included Censys-style automated scanning (11 instances) and bot-based user agent reconnaissance (11 instances), escalating to Kubernetes-specific API enumeration (3 instances), resource discovery (2 instances), and version disclosure attempts (1 instance). The concentrated timeframe and protocol diversity suggest coordinated reconnaissance activity. Key IOC: 167.94.138.120 exhibiting K8S_ATTACK and SCANNER behavioral patterns with medium confidence ratings across all detection categories.
IOCs
IP:167.94.138.120
COUNTRY:US
Recommendations
- Implement immediate IP-based blocking for 167.94.138.120 across all network perimeters and Kubernetes ingress controllers
- Audit and restrict Kubernetes API server exposure, ensuring proper authentication and RBAC policies are enforced
- Deploy enhanced monitoring for Kubernetes API endpoints focusing on version disclosure attempts and unauthorized resource enumeration
- Review container orchestration platform configurations to minimize information leakage during reconnaissance attempts
- Establish alerting for concentrated scanning activities targeting single ports within short timeframes (sub-5 hour windows)