167.94.146.61

Summary (Bottom Line Up Front)

External threat actor at 167.94.146.61 conducted sustained reconnaissance activities from February 24 to March 9, 2026, targeting SMB services with legacy SMBv1 protocol exploitation attempts across 45 recorded events. Assessment indicates HIGH threat level due to SMBv1 vulnerability exploitation potential and multi-protocol scanning behavior. Immediate SMB hardening and network monitoring enhancement recommended.

HTTP Modbus TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ smb

SCANNER SMB

Activity Timeline

INITIAL REPORT2026-03-10T17:24:09Z

Source: Analyst Manual Entry

Technical details

Threat actor employed multi-protocol reconnaissance spanning HTTP, Modbus, TCP, TLS (versions 1.0 and 1.2+), and SMB protocols targeting two unique destination ports. Primary attack vectors included automated scanning operations consistent with Censys-style reconnaissance and SMBv1 protocol negotiation attempts. Activity maps to MITRE ATT&CK technique T1190 (Exploit Public-Facing Application) within the Reconnaissance kill chain phase. Key indicators include sustained 14-day campaign duration, SMBv1 exploitation attempts leveraging known critical vulnerabilities, and cross-protocol scanning suggesting comprehensive target enumeration. No CVE-specific exploits identified, though SMBv1 usage presents EternalBlue and related vulnerability exposure risks.

IOCs

IP:167.94.146.61

Recommendations

Block traffic from 167.94.146.61 at network perimeter and monitor for additional IPs exhibiting similar multi-protocol scanning patterns
Disable SMBv1 protocol across all network assets and enforce SMBv2/v3 minimum requirements with signing enabled
Implement enhanced monitoring for SMB traffic anomalies, particularly external connection attempts and legacy protocol negotiations
Conduct immediate asset inventory to identify and remediate any SMB services exposed to external networks
Deploy network segmentation controls to isolate critical SMB file shares from internet-facing network zones