Summary (Bottom Line Up Front)
Network telemetry identified SMBv1 protocol negotiation attempts from IP 179.32.58.255 (Colombia Telecomunicaciones) targeting non-standard port 9001 between February 24-March 2, 2026. This activity represents MEDIUM-risk reconnaissance likely probing for vulnerable SMB services exploitable via legacy protocol weaknesses. Organizations should immediately audit SMB configurations and disable SMBv1 protocol support.
Activity Timeline
INITIAL REPORT2026-03-10T19:12:02Z
Source: Analyst Manual Entry
Network telemetry identified SMBv1 protocol negotiation attempts from IP 179.32.58.255 (Colombia Telecomunicaciones) targeting non-standard port 9001 between February 24-March 2, 2026. This activity represents MEDIUM-risk reconnaissance likely probing for vulnerable SMB services exploitable via legacy protocol weaknesses. Organizations should immediately audit SMB configurations and disable SMBv1 protocol support.
Technical details
- Source: 179.32.58.255 (AS3816 Colombia Telecomunicaciones, Cali, CO)
- Activity Window: February 24, 2026 12:00 - March 2, 2026 02:00 UTC
- Attack Vector: SMBv1 protocol negotiation on non-standard port 9001
- Volume: 18 events over 6-day period
- MITRE Technique: T1040 (Network Sniffing)
- Kill Chain Phase: Reconnaissance
- Key Indicators: Deprecated SMBv1 usage, non-standard port targeting, sustained scanning pattern
- Open Ports: 80, 443, 5130, 5985, 8182, 8733, 47001
IOCs
IP:179.32.58.255
ASN:3816
COUNTRY:CO
Recommendations
- Disable SMBv1 protocol across all Windows systems and network infrastructure immediately
- Monitor network traffic for SMBv1 negotiation attempts on non-standard ports (not 445/139)
- Implement network segmentation to restrict SMB traffic to authorized systems only
- Deploy detection rules for legacy SMB protocol usage and alert on anomalous port combinations
- Review firewall configurations to block unnecessary SMB traffic from external networks