167.94.146.57

Summary (Bottom Line Up Front)

IP address 167.94.146.57 conducted a sustained 16-day reconnaissance campaign from February 19-March 7, 2026, targeting Kubernetes APIs and conducting broad network scanning activities. The threat actor demonstrated knowledge of container orchestration environments and employed multiple protocols (HTTP/HTTPS, Modbus, SMB) suggesting infrastructure mapping objectives. Organizations should immediately review Kubernetes API exposure and implement enhanced monitoring for similar reconnaissance patterns.

HTTP Modbus https
SCANNER K8S_ATTACK
Activity Timeline
INITIAL REPORT2026-03-10T14:39:55Z
Source: Analyst Manual Entry
IP address 167.94.146.57 conducted a sustained 16-day reconnaissance campaign from February 19-March 7, 2026, targeting Kubernetes APIs and conducting broad network scanning activities. The threat actor demonstrated knowledge of container orchestration environments and employed multiple protocols (HTTP/HTTPS, Modbus, SMB) suggesting infrastructure mapping objectives. Organizations should immediately review Kubernetes API exposure and implement enhanced monitoring for similar reconnaissance patterns.
Technical details
The threat actor generated 49 security events across multiple attack vectors, with primary focus on Kubernetes API enumeration and version disclosure attempts. Scanning activities dominated the campaign (30 events) using automated tools consistent with Censys-style reconnaissance. Kubernetes-specific attacks (9 events) included API resource enumeration and version fingerprinting, indicating targeted container environment reconnaissance. A single SMB legacy protocol probe suggests broader network service discovery efforts. The campaign maps to MITRE ATT&CK techniques T1046 (Network Service Scanning) and T1082 (System Information Discovery). Key IOC: 167.94.146.57 with sustained activity pattern over 384+ hours.
IOCs
IP:167.94.146.57
Recommendations
  • Implement network segmentation to restrict external access to Kubernetes API servers and require VPN/bastion host access
  • Deploy enhanced logging and monitoring for Kubernetes API endpoints, particularly focusing on unauthenticated enumeration attempts
  • Review and harden SMB configurations, disabling SMBv1 protocol and restricting unnecessary file sharing services
  • Block IP address 167.94.146.57 at network perimeter and search internal logs for any successful connections from this source
  • Conduct immediate audit of exposed Kubernetes services using tools like kube-hunter to identify potential attack surfaces
Threat Assessment
Threat Level CRITICAL
Total Events 25
AbuseIPDB 0/100
Indicators of Compromise
ip 167.94.146.57