Summary (Bottom Line Up Front)
External threat actor from Equatorial Guinea (41.79.51.218) conducted SMBv1 protocol reconnaissance targeting non-standard port 9001 on March 3, 2026 at 16:00 UTC. This activity represents MEDIUM-risk reconnaissance using deprecated, vulnerable protocols historically exploited by major ransomware campaigns. Immediate blocking and SMBv1 service review recommended.
Activity Timeline
UPDATE 12026-03-21T15:17:13Z
Source: Analyst Manual Entry
External threat actor from Equatorial Guinea (41.79.51.218) conducted SMBv1 protocol reconnaissance targeting non-standard port 9001 on March 3, 2026 at 16:00 UTC. This activity represents MEDIUM-risk reconnaissance using deprecated, vulnerable protocols historically exploited by major ransomware campaigns. Immediate blocking and SMBv1 service review recommended.
New findings
Attack Vector: SMBv1 protocol negotiation attempts from external source
Volume: 20 events over 2-minute window (16:00-16:00 UTC)
Protocols: SMB, TCP SYN scanning
Kill Chain Phase: Reconnaissance
Source Intelligence: ASN AS37337 (MUNI S.A), AbuseIPDB score 100/100, exposed RDP (3389) and NetBIOS (137) services
IOC: 41.79.51.218
Recommendations
- Block source IP 41.79.51.218 at perimeter firewalls and update threat intelligence feeds
- Audit all SMBv1 services and disable where operationally feasible, prioritizing external-facing instances
- Review firewall rules for non-standard SMB ports (9001) and restrict to authorized business requirements only
- Monitor for additional SMBv1 negotiation attempts from Equatorial Guinea IP ranges (ASN AS37337)
- Validate SMB service configurations ensure SMBv2/v3 enforcement and proper access controls
INITIAL REPORT2026-03-14T16:22:46Z
Source: Analyst Manual Entry
External actor from Equatorial Guinea conducted SMBv1 reconnaissance against non-standard port 9001 over a 2-minute window on March 3rd, 2026. Activity assessed as MEDIUM threat level with 20 observed events targeting deprecated SMB protocol. Behavior consistent with automated scanning for vulnerable legacy file-sharing services.
Technical details
Actor utilized SMBv1 protocol negotiation attempts against TCP port 9001, triggering 10 total detection events across two distinct SMB-related attack patterns. Traffic analysis identified deprecated SMBv1 protocol usage, which lacks modern security features and remains vulnerable to exploitation techniques previously leveraged in widespread ransomware campaigns. Activity maps to MITRE ATT&CK technique T1021.002 (Remote Services: SMB/Windows Admin Shares) within the Reconnaissance kill chain phase. No specific CVE exploitation attempts were observed during the monitoring period. Source infrastructure shows maximum abuse scoring (100/100) with open services on ports 137 (NetBIOS Name Service) and 3389 (RDP), indicating potential command-and-control or compromised endpoint characteristics.
IOCs
IP:41.79.51.218
ASN:37337
COUNTRY:GQ