185.217.188.132

Summary (Bottom Line Up Front)

A threat actor operating from Kazakhstan (185.217.188.132) conducted sustained SMB reconnaissance activities over a 4-day period from March 4-8, 2026, with 23 recorded events targeting legacy SMB protocols. The campaign demonstrates persistent, methodical reconnaissance behavior with focus on SMBv1 exploitation vectors, assessed as HIGH threat level requiring immediate defensive action. Organizations should prioritize SMB hardening and monitoring given the attacker's demonstrated persistence and targeting of vulnerable legacy protocols.

SMB TCP auto smb

SMB

Activity Timeline

INITIAL REPORT2026-03-10T19:12:34Z

Source: Analyst Manual Entry

Technical details

The threat actor leveraged SMB and TCP protocols exclusively, conducting 23 attack events over 96 hours with consistent focus on SMBv1 detection and exploitation attempts. Primary attack vectors included SMBv1 protocol detection (10 instances) and active SMBv1 usage attempts (2 instances), indicating reconnaissance for legacy file sharing vulnerabilities. The campaign targeted 2 unique destination ports and maintained persistent activity patterns suggesting automated tooling. MITRE ATT&CK mappings include T1021.002 (Remote Services: SMB/Windows Admin Shares) and T1135 (Network Share Discovery). Key IOC: 185.217.188.132 (Optinet LLP/AS60757, Karagandy, Kazakhstan) with exposed services on ports 80 and 3389.

IOCs

IP:185.217.188.132

ASN:60757

COUNTRY:KZ

Recommendations

Immediately block traffic from 185.217.188.132 and monitor for additional activity from AS60757 (Optinet LLP)
Disable SMBv1 protocol across all Windows systems and network devices if not already completed
Implement enhanced logging and alerting for SMB connection attempts, particularly from foreign IP ranges
Conduct network scan to identify and remediate any remaining SMBv1-enabled systems or shares
Review and restrict SMB access controls, ensuring proper network segmentation for file sharing services