Summary (Bottom Line Up Front)
IP address 216.180.246.96 conducted targeted vulnerability scanning against network infrastructure on March 11, 2026, between 22:00-24:00 UTC. The activity represents low-to-medium risk automated reconnaissance with 127 events recorded over an 11-minute window. Organizations should monitor for similar scanning patterns and ensure web application security controls are current.
Activity Timeline
INITIAL REPORT2026-03-14T17:54:06Z
Source: batch_hunting
IP address 216.180.246.96 conducted targeted vulnerability scanning against network infrastructure on March 11, 2026, between 22:00-24:00 UTC. The activity represents low-to-medium risk automated reconnaissance with 127 events recorded over an 11-minute window. Organizations should monitor for similar scanning patterns and ensure web application security controls are current.
Technical details
- Source: 216.180.246.96 (US-based, ASN unknown, no VPN detected)
- Activity Window: March 11, 2026, 22:00-24:00 UTC (11-minute active period)
- Volume: 127 events targeting single destination port
- Protocols: HTTPS over TLS 1.0/1.2+, TCP SYN scanning
- Attack Vector: Vulnerability path enumeration (SCANNER/scan_vuln_paths)
- MITRE ATT&CK: T1595.002 (Active Scanning: Vulnerability Scanning)
- IOC: 216.180.246.96
IOCs
IP:216.180.246.96
COUNTRY:US
Recommendations
- Block IP address 216.180.246.96 at perimeter firewalls and web application firewalls
- Review web server logs for successful vulnerability exploitation attempts during the specified timeframe
- Ensure all web applications have current security patches and proper input validation
- Implement rate limiting on web services to mitigate automated scanning attempts
- Monitor for similar scanning patterns targeting single ports with high event volumes over short timeframes