Summary (Bottom Line Up Front)
A South Korean IP address (221.166.248.230) conducted sustained automated credential capture attacks against network infrastructure over a 5-day period from March 28-April 2, 2026, generating 1,240 malicious events. This represents low-sophistication opportunistic scanning with medium threat level due to persistence and targeting of authentication services. Network defenders should implement enhanced monitoring for credential-based attacks and consider blocking the identified IOC. ##
Activity Timeline
INITIAL REPORT2026-05-05T11:08:47Z
Source: Analyst Manual Entry
A South Korean IP address (221.166.248.230) conducted sustained automated credential capture attacks against network infrastructure over a 5-day period from March 28-April 2, 2026, generating 1,240 malicious events. This represents low-sophistication opportunistic scanning with medium threat level due to persistence and targeting of authentication services. Network defenders should implement enhanced monitoring for credential-based attacks and consider blocking the identified IOC.
Technical details
The attacker operated from Korea Telecom infrastructure (AS4766) in Gumi, South Korea, with a maximum AbuseIPDB reputation score indicating confirmed malicious activity. Primary attack vectors included TCP-based credential capture attempts via Telnet protocol, with 252 total authentication-related events (168 retry attempts, 84 direct authentication probes). Secondary reconnaissance included SMB scanning activity with minimal payload content ("20080826"). The campaign demonstrated automated tooling characteristics with consistent targeting of authentication services on port 23/TCP. Attack classification aligns with T1110 (Brute Force) techniques in the MITRE ATT&CK framework, representing Initial Access phase activities.
IOCs
IP:221.166.248.230
ASN:4766
COUNTRY:KR
Recommendations
- Block IP address 221.166.248.230 at network perimeter and consider temporary geofencing of AS4766 if operationally feasible
- Implement rate limiting and account lockout policies for Telnet and SSH services to mitigate credential brute force attempts
- Deploy enhanced logging and alerting for authentication failures across network infrastructure devices
- Conduct audit of exposed management interfaces and disable unnecessary Telnet services in favor of encrypted alternatives
- Review and strengthen default credentials on network appliances, particularly those with SNMP (port 161) exposure