Summary (Bottom Line Up Front)
A moderate-volume SSH brute force campaign originating from Polish IP address 195.136.224.101 targeted network infrastructure over a 5-day period from April 6-11, 2026, generating 233 attack events. The activity represents low-sophistication credential stuffing attacks against SSH services with no evidence of successful compromise or command execution. Network defenders should implement standard SSH hardening measures and monitor for similar brute force patterns. ##
Activity Timeline
INITIAL REPORT2026-04-11T07:15:36Z
Source: Analyst Manual Entry
A moderate-volume SSH brute force campaign originating from Polish IP address 195.136.224.101 targeted network infrastructure over a 5-day period from April 6-11, 2026, generating 233 attack events. The activity represents low-sophistication credential stuffing attacks against SSH services with no evidence of successful compromise or command execution. Network defenders should implement standard SSH hardening measures and monitor for similar brute force patterns.
Technical details
The threat actor operated from AS199389 (TKT-NET) infrastructure in Warsaw, Poland, with an AbuseIPDB reputation score of 91/100 indicating known malicious activity. Attack patterns focused exclusively on SSH protocol exploitation targeting port 2200, with 24 login attempts using the "root" username. The attacker demonstrated limited technical sophistication through short session durations and no post-authentication command execution. Port scanning revealed additional exposed services (DNS, HTTP, PPTP, FTP, HTTP-proxy, MikroTik) suggesting a compromised host or bulletproof hosting service. MITRE ATT&CK mapping aligns with T1110.001 (Brute Force: Password Guessing) and T1078 (Valid Accounts).
IOCs
IP:195.136.224.101
ASN:199389
COUNTRY:PL
Recommendations
- Implement SSH key-based authentication and disable password authentication where operationally feasible
- Deploy fail2ban or equivalent intrusion prevention systems to automatically block repeated failed authentication attempts
- Configure SSH services to use non-standard ports and restrict access through firewall rules or VPN requirements
- Monitor authentication logs for brute force patterns and establish alerting thresholds for failed login attempts
- Block traffic from AS199389 (195.136.224.0/24 subnet) if no legitimate business requirements exist for Polish infrastructure access