Summary (Bottom Line Up Front)
IP address 167.94.138.203 conducted reconnaissance against MQTT infrastructure using deprecated TLS 1.0 protocol and attempted unauthorized subscription operations between March 12-17, 2026. This activity represents a MEDIUM threat level indicating potential preparation for IoT/MQTT infrastructure compromise. Network defenders should immediately audit MQTT configurations and implement protocol restrictions.
Activity Timeline
INITIAL REPORT2026-03-18T00:13:55Z
Source: Analyst Manual Entry
IP address 167.94.138.203 conducted reconnaissance against MQTT infrastructure using deprecated TLS 1.0 protocol and attempted unauthorized subscription operations between March 12-17, 2026. This activity represents a MEDIUM threat level indicating potential preparation for IoT/MQTT infrastructure compromise. Network defenders should immediately audit MQTT configurations and implement protocol restrictions.
Technical details
- Source: 167.94.138.203 (US-based, ASN unknown, clean reputation)
- Activity Window: March 12, 2026 21:00 - March 17, 2026 12:00 (49 total events)
- Protocols: TLS 1.0/1.2+, MQTT, MQTTS over 2 unique destination ports
- Attack Patterns: MQTT subscription attempts with binary payloads and wildcard subscription enumeration
- MITRE Technique: T1595.002 (Active Scanning: Vulnerability Scanning)
- Kill Chain Phase: Reconnaissance
- IOCs: Deprecated TLS 1.0 handshakes against port 8883, unauthorized MQTT subscribe operations
IOCs
IP:167.94.138.203
COUNTRY:US
Recommendations
- Block or monitor traffic from 167.94.138.203 and implement enhanced logging for MQTT services
- Disable TLS 1.0 support on all MQTT brokers and enforce minimum TLS 1.2 for encrypted connections
- Review MQTT broker access controls and disable anonymous connections if not required
- Implement subscription topic filtering to prevent wildcard enumeration attempts
- Conduct security assessment of IoT devices and MQTT infrastructure for protocol downgrade vulnerabilities