200.75.2.138

Summary (Bottom Line Up Front)

External host 200.75.2.138 (Chile, AS14259) conducted SMBv1 reconnaissance including NTLM authentication negotiation on March 6, 2026 at 19:00 UTC. This activity represents MEDIUM-risk reconnaissance that could precede lateral movement or credential harvesting attacks. Network defenders should immediately audit SMB exposure and disable legacy SMBv1 protocol where possible.

smb

SMB

Activity Timeline

INITIAL REPORT2026-03-10T17:30:28Z

Source: Analyst Manual Entry

Technical details

The threat actor executed 5 SMB-based reconnaissance events over a 1-second window, focusing on SMBv1 protocol enumeration and NTLM authentication probing. Activity aligns with MITRE technique T1046 (Network Service Scanning) in the reconnaissance phase of the cyber kill chain. The source IP maintains a maximum AbuseIPDB reputation score (100/100) and operates from SERVICIOS Y COMERCIAL RAUCO LTDA infrastructure with exposed management services on ports 161 (SNMP), 179 (BGP), and 8443 (HTTPS). Attack patterns included SMBv1 detection, NTLM authentication attempts, and protocol negotiation - consistent with preparation for follow-on exploitation such as EternalBlue or credential theft.

IOCs

IP:200.75.2.138

ASN:14259

COUNTRY:CL

Recommendations

Block traffic from 200.75.2.138 and monitor for additional reconnaissance from AS14259 (SERVICIOS Y COMERCIAL RAUCO LTDA.)
Disable SMBv1 protocol across all Windows systems and enforce SMBv2/v3 minimum requirements
Audit network exposure of SMB services (ports 139/445) and restrict access to authorized internal networks only
Implement enhanced monitoring for SMB authentication failures and unusual NTLM negotiation attempts
Review firewall rules to ensure management protocols (SNMP, BGP) are not exposed to untrusted networks