Summary (Bottom Line Up Front)
Automated reconnaissance activity targeting Kubernetes API servers was observed from IP 20.168.121.187 on March 4, 2026 at 00:00 UTC. The attacker conducted version disclosure scans against port 6443 using zgrab scanner to gather intelligence for potential follow-up attacks. Network defenders should implement enhanced monitoring for Kubernetes API endpoints and review access controls.
Activity Timeline
INITIAL REPORT2026-03-21T15:09:53Z
Source: Analyst Manual Entry
Automated reconnaissance activity targeting Kubernetes API servers was observed from IP 20.168.121.187 on March 4, 2026 at 00:00 UTC. The attacker conducted version disclosure scans against port 6443 using zgrab scanner to gather intelligence for potential follow-up attacks. Network defenders should implement enhanced monitoring for Kubernetes API endpoints and review access controls.
Technical details
Attack Vector: Automated scanning targeting Kubernetes API server /version endpoint on port 6443
Protocols: TCP, TLS 1.0/1.2+, HTTPS
Volume: 24 events over 20-minute window
MITRE Technique: T1590.001 (Gather Victim Network Information: Domain Properties)
Kill Chain Phase: Reconnaissance
Primary IOC: 20.168.121.187 (US-based, AbuseIPDB score 100/100)
Attack Patterns: Kubernetes version disclosure attempts, mass scanning behavior, automated bot user-agent signatures
IOCs
IP:20.168.121.187
COUNTRY:US
Recommendations
- Implement network segmentation to restrict external access to Kubernetes API servers (port 6443)
- Enable comprehensive logging for all Kubernetes API server requests, particularly version disclosure attempts
- Deploy rate limiting and IP-based access controls on Kubernetes API endpoints
- Monitor for reconnaissance patterns targeting container orchestration platforms
- Review and harden Kubernetes RBAC policies to minimize information disclosure risks