Summary (Bottom Line Up Front)
External threat actor at 2[REDACTED] (Japan/AS7672) conducted sustained SMBv1 protocol reconnaissance against network infrastructure from March 4-16, 2026. This activity represents HIGH-risk preparation for potential EternalBlue-style remote code execution attacks targeting legacy SMB services. Immediate SMBv1 disablement and SMB hardening measures are recommended across all network segments.
Activity Timeline
UPDATE 12026-03-21T15:22:35Z
Source: Analyst Manual Entry
External threat actor at 2[REDACTED] (Japan/AS7672) conducted sustained SMBv1 protocol reconnaissance against network infrastructure from March 4-16, 2026. This activity represents HIGH-risk preparation for potential EternalBlue-style remote code execution attacks targeting legacy SMB services. Immediate SMBv1 disablement and SMB hardening measures are recommended across all network segments.
New findings
Threat actor leveraged SMBv1 protocol negotiation techniques over a 12-day campaign, generating 20 attack events with primary focus on SMB service enumeration. Activity maps to MITRE T1210 (Exploitation of Remote Services) within the reconnaissance phase of the cyber kill chain. Source infrastructure shows maximum AbuseIPDB reputation score (100/100) with exposed HTTPS (443) and MSSQL (1433) services, suggesting compromised business infrastructure rather than dedicated attack platform. Attack patterns concentrated on legacy SMBv1 detection and usage, indicating preparation for exploitation of critical vulnerabilities in outdated SMB implementations.
Recommendations
- Immediately disable SMBv1 protocol across all Windows systems and network shares to eliminate primary attack vector
- Implement network segmentation to restrict SMB traffic (ports 445, 139) to authorized business requirements only
- Deploy enhanced monitoring for SMB protocol anomalies and block traffic from 2[REDACTED] at perimeter defenses
- Conduct urgent vulnerability assessment of all SMB-enabled systems, prioritizing patch deployment for SMB-related security updates
- Review and harden MSSQL instances given attacker's exposed database services suggesting potential SQL-based follow-on attacks
INITIAL REPORT2026-03-14T16:23:54Z
Source: Analyst Manual Entry
External actor at 2[REDACTED] conducted sustained SMBv1 reconnaissance activity over 9-day period from March 4-13, 2026. Assessment: HIGH threat level with 85% confidence based on targeting of legacy SMB protocol vulnerable to critical remote code execution exploits. Actor demonstrated focused scanning behavior against SMB services, indicating potential preparation for exploitation of EternalBlue-class vulnerabilities.
Technical details
Actor initiated SMBv1 protocol negotiation attempts against internet-facing SMB services on standard ports 139/445. Traffic analysis revealed specific targeting of SMBv1 dialect negotiation, triggering detection signatures for legacy SMB protocol usage. Activity maps to MITRE ATT&CK technique T1210 (Exploitation of Remote Services) within the Initial Access tactic, specifically targeting the reconnaissance phase of the kill chain. No specific CVEs were directly exploited during observed timeframe, though SMBv1 usage indicates preparation for potential MS17-010 (EternalBlue) exploitation vectors. Source infrastructure shows no VPN usage, originating from Hokuden Information System Service Co.,Ltd. (AS7672) in Toyama, Japan with maximum AbuseIPDB reputation score indicating prior malicious activity.
IOCs
IP:210.171.212.149
ASN:7672
COUNTRY:JP