Summary (Bottom Line Up Front)
IP address 185.247.137.27 conducted a sustained multi-protocol reconnaissance campaign from February 18 to April 14, 2026, targeting industrial control systems and database infrastructure using EtherNet/IP, Modbus, Oracle TNS, and other protocols across 48 events. This represents MEDIUM-risk reconnaissance activity (85% confidence) consistent with MITRE technique T1018 (Remote System Discovery) and indicates potential preparation for targeted attacks against operational technology and database systems. Organizations should immediately review exposure of industrial protocols and database services to untrusted networks.
Activity Timeline
INITIAL REPORT2026-04-14T18:11:51Z
Source: Analyst Manual Entry
IP address 185.247.137.27 conducted a sustained multi-protocol reconnaissance campaign from February 18 to April 14, 2026, targeting industrial control systems and database infrastructure using EtherNet/IP, Modbus, Oracle TNS, and other protocols across 48 events. This represents MEDIUM-risk reconnaissance activity (85% confidence) consistent with MITRE technique T1018 (Remote System Discovery) and indicates potential preparation for targeted attacks against operational technology and database systems. Organizations should immediately review exposure of industrial protocols and database services to untrusted networks.
Technical details
- Attack Vector: Multi-protocol reconnaissance targeting industrial and database systems
- Source: 185.247.137.27 (unknown ASN, no reverse DNS resolution)
- Timeline: February 18, 2026 07:00 - April 14, 2026 09:00 (sustained 8-week campaign)
- Protocols Observed: EtherNet/IP, Modbus, Oracle TNS, HTTP, Java-RMI, TCP
- Primary Technique: Oracle TNS version enumeration using CONNECT_DATA=(COMMAND=version
- MITRE Mapping: T1018 (Remote System Discovery)
- Volume: 48 events across 5 unique destination ports
- Kill Chain Phase: Reconnaissance
- IOC: 185.247.137.27
IOCs
IP:185.247.137.27
Recommendations
- Implement network segmentation to isolate industrial control systems (EtherNet/IP, Modbus) from internet-facing networks
- Review and restrict Oracle TNS listener exposure, ensuring version information disclosure is minimized through proper configuration
- Deploy protocol-aware monitoring for industrial protocols to detect unauthorized enumeration attempts
- Block traffic from 185.247.137.27 at network perimeters and review logs for similar multi-protocol scanning patterns
- Conduct asset inventory to identify exposed services on non-standard ports that may be targeted by reconnaissance activities