Summary (Bottom Line Up Front)
Brazilian IP address 170.233.6.1 conducted SMB reconnaissance activities over 24 days, probing for legacy SMB protocol support including SMBv1. This represents medium-risk reconnaissance activity that typically precedes SMB-based exploitation attempts. Organizations should immediately audit SMB exposure and disable legacy protocol versions.
Activity Timeline
UPDATE 22026-03-22T08:16:44Z
Source: Analyst Manual Entry
Brazilian IP address 170.233.6.1 conducted SMB reconnaissance activities over 24 days, probing for legacy SMB protocol support including SMBv1. This represents medium-risk reconnaissance activity that typically precedes SMB-based exploitation attempts. Organizations should immediately audit SMB exposure and disable legacy protocol versions.
New findings
- Source: 170.233.6.1 (AS52630 MOTTANET TI, Brazil) with 100/100 AbuseIPDB reputation score
- Activity Window: February 19, 2026 01:00 - March 15, 2026 08:00 (46 total events)
- Protocols: SMB protocol negotiation requests targeting 2 unique destination ports
- MITRE Technique: T1135 (Network Share Discovery) during reconnaissance phase
- Attack Patterns: SMBv1 detection and usage attempts (16 combined hits)
- Assessment: External enumeration of SMB dialects including deprecated versions, consistent with pre-exploitation reconnaissance
Recommendations
- Immediately block 170.233.6.1 at network perimeter and review logs for any successful SMB connections
- Audit all externally accessible SMB services and relocate behind VPN or remove external exposure entirely
- Disable SMBv1 protocol across all Windows systems and network appliances if not already completed
- Implement network segmentation to isolate file sharing services from external networks
- Monitor for additional reconnaissance activity from AS52630 and other Brazilian IP ranges targeting SMB services
UPDATE 12026-03-21T12:48:11Z
Source: Analyst Manual Entry
External threat actor conducted sustained SMB reconnaissance targeting internal networks using deprecated SMBv1 protocol over a 24-day period from Brazilian hosting provider infrastructure. This represents MEDIUM-risk pre-attack enumeration that could precede exploitation of SMBv1 vulnerabilities including EternalBlue-class attacks. Immediate SMBv1 protocol review and network segmentation assessment recommended.
New findings
Threat actor 170.233.6[.]1 (AS52630 MOTTANET TI, Brazil) conducted 46 reconnaissance events between 2026-02-19 01:00 and 2026-03-15 08:00 targeting SMB services. Activity focused on SMBv1 protocol detection across 2 unique destination ports using multiple protocols (Modbus, SMB, TCP/SYN). Attack patterns align with MITRE T1046 (Network Service Scanning) in the reconnaissance phase of the cyber kill chain. AbuseIPDB reputation scoring indicates 100/100 malicious confidence rating. No CVEs directly associated but SMBv1 usage creates exposure to known vulnerability classes including MS17-010.
Recommendations
- Disable SMBv1 protocol across all Windows systems and network infrastructure immediately
- Implement network segmentation to prevent external access to internal SMB services (ports 139/445)
- Deploy enhanced monitoring for SMB protocol anomalies and external connection attempts
- Block source IP 170.233.6[.]1 and monitor for additional reconnaissance from AS52630 address space
- Conduct vulnerability assessment focusing on SMB service exposure and patch status across the environment
INITIAL REPORT2026-03-14T12:43:05Z
Source: Analyst Manual Entry
Internet-facing sensors observed 35 malicious events from IP 170.233.6.1 between February 19 and March 3, 2026, targeting SMB services with legacy protocol exploitation attempts. The activity demonstrates medium-severity threat behavior focused on SMB version 1 protocol abuse across a 12-day observation period. The actor exhibited persistent automated scanning behavior targeting industrial control systems and file sharing services.
Technical details
The observed traffic consisted of 35 events targeting a single destination port using multiple protocols including Modbus, SMB, TCP, and TCP/SYN. Primary attack vectors focused on SMB protocol exploitation with specific emphasis on SMB version 1 usage attempts (8 instances) and SMB1 protocol detection activities (4 instances). The actor demonstrated knowledge of industrial control system protocols through Modbus targeting, suggesting familiarity with SCADA/ICS environments. No specific CVEs were targeted in the observed traffic, and payload analysis indicated standard protocol enumeration rather than sophisticated exploit delivery. The activity pattern suggests automated tooling rather than manual reconnaissance.
IOCs
IP:170.233.6.1