UPDATE 12026-03-14T16:26:23Z

Source: Analyst Manual Entry

A US-based threat actor conducted targeted reconnaissance against Kubernetes infrastructure over a 4-hour window on March 10, 2026, generating 127 events between 11:00-11:00 UTC. The activity combined automated scanning behavior consistent with Censys research infrastructure alongside specific Kubernetes API enumeration attempts, indicating potential preparation for container orchestration platform exploitation. The actor demonstrated focused targeting against a single destination port with mixed legitimate research tooling and malicious reconnaissance techniques.

New findings

The threat actor employed multiple protocols including TCP SYN scanning, TLS 1.0, TLS 1.2+, and HTTPS communications targeting Kubernetes infrastructure. Attack techniques included API server enumeration (MITRE T1613: Container and Resource Discovery) and version disclosure attempts against Kubernetes endpoints (MITRE T1082: System Information Discovery). Traffic analysis revealed bot-like user agent strings characteristic of automated scanning tools, specifically matching Censys research scanner signatures. The actor utilized encrypted channels for reconnaissance, leveraging both legacy TLS 1.0 and modern TLS 1.2+ protocols. Kubernetes-specific attack patterns included direct API enumeration attempts and version fingerprinting queries designed to identify exploitable container orchestration platforms.

INITIAL REPORT2026-03-14T16:20:14Z

Source: Analyst Manual Entry

A US-based threat actor conducted targeted reconnaissance against Kubernetes infrastructure over a 4-hour window on March 10, 2026, generating 127 events between 11:00-11:00 UTC. The activity combined automated scanning behavior consistent with Censys research infrastructure with specific Kubernetes API enumeration attempts, indicating either dual-purpose reconnaissance or coordinated scanning operations. The actor demonstrated focused targeting against a single destination port with mixed legitimate research and malicious enumeration patterns.

Technical details

The actor employed multiple protocols including TCP SYN scanning, TLS 1.0, TLS 1.2+, and HTTPS communications targeting Kubernetes infrastructure. Observed attack techniques included API server enumeration (T1613 - Container and Resource Discovery) and version disclosure attempts against Kubernetes endpoints. The traffic exhibited characteristics of both automated scanning tools and targeted reconnaissance, with user-agent patterns matching Censys research scanning infrastructure alongside specific Kubernetes API probing attempts. All activity concentrated on a single destination port, suggesting focused targeting rather than broad port scanning. The actor utilized encrypted communications channels (TLS/HTTPS) for reconnaissance activities, indicating operational security awareness.

IOCs