Summary (Bottom Line Up Front)
A Windows Server 2012 R2 system in Nagpur, India conducted SMBv1 protocol negotiation attempts against network infrastructure on April 19, 2026 between 07:00-09:00 UTC. This reconnaissance activity poses HIGH risk as it targets legacy SMB services vulnerable to critical remote code execution exploits including EternalBlue. Immediate blocking of the source IP and network-wide SMBv1 disablement is recommended.
Activity Timeline
INITIAL REPORT2026-04-19T08:42:36Z
Source: Analyst Manual Entry
A Windows Server 2012 R2 system in Nagpur, India conducted SMBv1 protocol negotiation attempts against network infrastructure on April 19, 2026 between 07:00-09:00 UTC. This reconnaissance activity poses HIGH risk as it targets legacy SMB services vulnerable to critical remote code execution exploits including EternalBlue. Immediate blocking of the source IP and network-wide SMBv1 disablement is recommended.
Technical details
The threat actor leveraged IP address 203.192.224.97 (AS17665 Indusind Media And Communication Ltd.) to conduct 4 SMB exploitation probes over a 2-hour window. Activity mapped to MITRE technique T1190 (Exploit Public-Facing Application) during the reconnaissance phase of the cyber kill chain. The attacker specifically targeted SMBv1 protocol negotiations on port 445, attempting to identify vulnerable services. While no CVEs were directly exploited, SMBv1 exposure enables numerous critical vulnerabilities. The source maintains an AbuseIPDB reputation score of 100/100, indicating confirmed malicious activity.
IOCs
IP:203.192.224.97
ASN:17665
COUNTRY:IN
Recommendations
- Block source IP 203.192.224.97 at network perimeter and endpoint security controls
- Disable SMBv1 protocol across all Windows systems and network infrastructure
- Implement network segmentation to restrict SMB traffic to authorized systems only
- Deploy enhanced monitoring for SMB protocol anomalies and exploitation attempts
- Conduct vulnerability assessment to identify and remediate exposed SMB services