177.75.49.40

Summary (Bottom Line Up Front)

Threat intelligence sensors detected a sustained Telnet brute force attack originating from IP 177.75.49.40, generating 677 credential capture attempts over approximately one hour on March 28-29, 2026. This activity represents a MEDIUM threat level with automated tooling characteristics targeting legacy Telnet services. Organizations should immediately audit Telnet exposure and implement access controls.

TCP TCP/SYN TELNET Telnet

CREDENTIAL_CAPTURE

Activity Timeline

INITIAL REPORT2026-03-30T19:05:56Z

Source: Analyst Manual Entry

Technical details

The attack campaign utilized TCP-based Telnet protocol targeting port 23 with credential stuffing techniques consistent with MITRE ATT&CK T1110.001 (Password Brute Force: Password Guessing). Activity occurred between 22:00-00:00 UTC timeframe with 677 total events including empty credential attempts suggesting automated scanner behavior. Primary attack patterns included credential capture and authentication retry sequences with moderate confidence automated tooling assessment. No CVE exploitation or zero-day indicators were observed during this campaign.

IOCs

IP:177.75.49.40

Recommendations

Disable Telnet services (port 23) on all internet-facing systems and migrate to SSH with strong authentication
Implement network segmentation to restrict Telnet access to management networks only where legacy requirements exist
Deploy rate limiting and account lockout policies for any remaining Telnet services
Monitor authentication logs for brute force patterns and implement automated blocking for repeated failed attempts
Block source IP 177.75.49.40 at network perimeter and consider threat intelligence feed integration for similar campaigns