36.68.34.81

Summary (Bottom Line Up Front)

Indonesian-based threat actor (36.68.34.81) conducted SMBv1 protocol reconnaissance against non-standard ports over a 26-hour period beginning March 2, 2026 06:00 UTC. Assessment: HIGH threat level due to targeting of deprecated SMBv1 protocol which enables lateral movement and remote code execution attacks. Immediate SMBv1 disablement and enhanced network monitoring required.

SMB TCP TCP/SYN auto

SMB

Activity Timeline

INITIAL REPORT2026-03-10T13:07:26Z

Source: Analyst Manual Entry

Technical details

Source IP 36.68.34.81 (PT TELKOM INDONESIA/AS7713, Pekanbaru) generated 21 security events targeting SMBv1 protocol on non-standard port 9001. Activity classified as reconnaissance phase (MITRE T1210 - Exploitation of Remote Services) with medium-severity SMB detection patterns including smb1_detected and smb_smb1_usage signatures. Threat actor operates from residential ISP infrastructure with AbuseIPDB reputation score of 62/100. Open services on source include DNS (53), L2TP (1701), and HTTP proxy (8080) suggesting compromised endpoint or malicious infrastructure. No active exploitation observed but SMBv1 exposure creates critical attack surface for EternalBlue-class vulnerabilities.

IOCs

IP:36.68.34.81

ASN:7713

COUNTRY:ID

Recommendations

Immediately disable SMBv1 protocol across all Windows systems and network infrastructure
Block inbound connections from 36.68.34.81 and monitor for additional reconnaissance from AS7713 netblocks
Audit network for SMB services running on non-standard ports and implement proper access controls
Deploy enhanced monitoring for SMB protocol anomalies and lateral movement indicators
Conduct vulnerability assessment focusing on legacy protocol exposure and patch management gaps