45.142.193.233

Summary (Bottom Line Up Front)

Malicious activity detected from 45.142.193.233 (, ASNone). 1187050 events observed across EtherNet/IP, TCP, TCP/SYN, TLS, TLS/1.0. AI verdict: HIGH.

EtherNet/IP TCP TCP/SYN TLS TLS/1.0 Telnet http https https_tls_handshake
WEB_EXPLOITER CREDENTIAL CREDENTIAL_THEFT AUTH_ATTACK
Activity Timeline
UPDATE 42026-03-31T23:09:01Z
Source: Analyst Manual Entry
Malicious activity detected from 45.142.193.233 (, ASNone). 1187050 events observed across EtherNet/IP, TCP, TCP/SYN, TLS, TLS/1.0. AI verdict: HIGH.
New findings
Protocols: EtherNet/IP, TCP, TCP/SYN, TLS, TLS/1.0, Telnet, http, https, https_tls_handshake
Attack types: AUTH_ATTACK, CREDENTIAL, CREDENTIAL_THEFT, DESERIALIZE, LDAPI, MODBUS, SCANNER, SMB, XSS
Unique destination ports: 2
Active window: 2026-02-28 15:03:20.281796 to 2026-03-31 23:08:32.075670
Top patterns: cred_auth_payload, claude_cisco_asa_webvpn_credential_attack, router_default_creds, claude_cisco_asa_webvpn_credential_attack, router_default_creds
CVE:CVE-2020-3452 (CVSS 7.5 HIGH) [CISA KEV — actively exploited]
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-O
Weaknesses: CWE-20
Recommendations
  • Block 45.142.193.233 at perimeter firewall
  • Escalate to incident response team
  • Review correlated attacker profiles for campaign links
UPDATE 32026-03-30T19:39:51Z
Source: Analyst Manual Entry
IP address 45.142.193.233 conducted an extensive multi-protocol attack campaign from February 28 to March 30, 2026, generating over 1.2 million malicious events targeting network infrastructure with emphasis on Cisco ASA SSL VPN systems. The campaign demonstrates HIGH threat severity with sophisticated credential theft attempts, industrial control system targeting, and exploitation of known vulnerabilities including CVE-2020-3452. Immediate defensive measures are recommended including blocking the source IP and reviewing Cisco ASA configurations.
New findings
Attack Profile: Sustained 30-day campaign utilizing multiple protocols (EtherNet/IP, TCP, TLS, Telnet, HTTP/HTTPS) with primary focus on credential theft (156,817 events) and authentication attacks (74,211 events). MITRE Mapping: T1190 (Exploit Public-Facing Application) during reconnaissance phase targeting Cisco ASA WebVPN infrastructure via characteristic "+webvpn+" path structures. Critical Findings: Java deserialization attacks detected (4 events) indicating potential RCE attempts, MODBUS protocol targeting of Schneider Electric systems (6 events), and SMB pass-the-hash techniques (7 events). IOCs: Malformed HTTP headers suggesting automated tooling, User-Agent strings mimicking Chrome/Edge browsers, and reconnaissance patterns consistent with vulnerability scanning preceding exploitation attempts.
Recommendations
  • Block IP address 45.142.193.233 at network perimeter and review logs for any successful authentication attempts from this source
  • Audit Cisco ASA SSL VPN configurations and apply latest security patches, particularly addressing CVE-2020-3452 if not already remediated
  • Monitor for similar attack patterns targeting "+webvpn+" paths and implement rate limiting on SSL VPN login endpoints
  • Review MODBUS/industrial control system exposure and ensure proper network segmentation between IT and OT environments
  • Enhance monitoring for Java deserialization attacks and SMB lateral movement techniques given the multi-vector approach observed
UPDATE 22026-03-19T22:16:45Z
Source: Analyst Manual Entry
Threat actor operating from 45.142.193.233 (Netherlands/AS214295) conducted sustained credential attacks against Cisco ASA SSL VPN endpoints over 19 days, generating 783,000+ malicious events targeting the /+webvpn+/index.html interface with default credentials "admin:joyful". This represents a HIGH severity threat with immediate blocking recommended due to potential for unauthorized VPN access and internal network compromise. Organizations running Cisco ASA WebVPN implementations should verify credential policies and implement additional authentication controls.
New findings
The campaign spanned February 28 - March 19, 2026 (rounded to hour precision) with consistent attack patterns indicating automated tooling. Primary attack vectors included credential stuffing (29,431 events) and router default credential exploitation (19,322 events) mapped to MITRE T1110.001 (Brute Force: Password Guessing). Secondary techniques targeted SMB pass-the-hash, Modbus SCADA protocols (Schneider Electric Quantum/Unity systems), and LDAP injection attempts. The attacker leveraged multiple protocols including TLS 1.0, HTTP/HTTPS, Telnet, and industrial EtherNet/IP communications. Activity correlates with CVE-2020-3259 exploitation patterns against Cisco ASA devices. Source infrastructure shows maximum AbuseIPDB reputation score (100/100) with single exposed SSH service on port 22.
Recommendations
  • Block source IP 45.142.193.233 and monitor for additional IPs from AS214295 (Limited Network LTD) exhibiting similar attack patterns
  • Audit all Cisco ASA SSL VPN configurations for default credentials and implement mandatory password complexity requirements
  • Enable multi-factor authentication on all VPN endpoints and administrative interfaces to mitigate credential-based attacks
  • Deploy rate limiting and account lockout policies for VPN authentication attempts to prevent brute force campaigns
  • Review logs for successful authentications from this source IP and conduct incident response procedures if compromise is confirmed
UPDATE 12026-03-18T07:07:45Z
Source: Analyst Manual Entry
Threat actor operating from 45.142.193.233 (Netherlands/AS214295) conducted sustained credential attacks against Cisco ASA SSL VPN interfaces using default credentials admin:joyful, generating over 645,000 attack events between February 28 and March 18, 2026. This HIGH-severity threat exploits CVE-2020-3259 and could provide unauthorized VPN access to internal networks. Immediate blocking of the source IP and review of VPN credential policies is recommended.
New findings
The attacker leveraged multiple protocols (TCP, TLS 1.0, HTTP/HTTPS, Telnet) to conduct brute-force authentication attacks primarily targeting the /+webvpn+/index.html endpoint characteristic of Cisco ASA WebVPN implementations. Primary attack vectors included credential stuffing (29,431 hits) and router default credential exploitation (19,322 hits), with secondary attacks against SMB (pass-the-hash), MODBUS (Schneider Quantum/Unity), and LDAP injection techniques. The campaign maps to MITRE technique T1110.001 (Password Spraying) in the Exploitation phase of the kill chain. The source IP maintains a 100/100 AbuseIPDB reputation score and operates exclusively on TCP port 22, suggesting a focused Linux-based attack infrastructure.
Recommendations
  • Block source IP 45.142.193.233 and monitor for additional IPs from AS214295 (Limited Network LTD)
  • Audit all Cisco ASA SSL VPN configurations for default credentials and implement strong password policies
  • Deploy rate limiting and account lockout mechanisms on VPN authentication endpoints
  • Monitor for authentication attempts against /+webvpn+/index.html and similar SSL VPN endpoints
  • Review and patch Cisco ASA devices against CVE-2020-3259 if not already addressed
INITIAL REPORT2026-03-14T17:35:30Z
Source: batch_hunting
Threat actor operating from 45.142.193.233 (Netherlands/AS214295) conducted sustained credential attacks against Cisco ASA SSL VPN interfaces using default credentials "admin:joyful" over a 14-day period ending March 14, 2026. Assessment: HIGH severity due to potential VPN access enabling lateral movement into internal networks. Immediate blocking and credential policy review required.
Technical details
  • Attack Volume: 329,821 events over 14-day campaign (Feb 28 - Mar 14, 2026)
  • Primary Target: Cisco ASA WebVPN endpoint (/+webvpn+/index.html)
  • Attack Vector: Default credential exploitation (admin:joyful) against SSL VPN authentication
  • Protocols: TCP/22, TLS 1.0, HTTP/HTTPS with TLS handshake analysis
  • MITRE Technique: T1110.001 (Brute Force: Password Guessing)
  • Kill Chain Phase: Exploitation
  • Secondary Attacks: SMB pass-the-hash (3 instances), Modbus Schneider targeting (4 instances), LDAP injection attempts (1 instance)
  • IOC: 45.142.193.233 (AbuseIPDB score: 100/100)
IOCs
IP:45.142.193.233
ASN:214295
COUNTRY:NL
Recommendations
  • Block source IP 45.142.193.233 at perimeter firewalls and review AS214295 (Limited Network LTD) for additional suspicious activity
  • Audit all Cisco ASA SSL VPN configurations for default credentials and implement strong password policies with multi-factor authentication
  • Monitor VPN authentication logs for successful logins using default or weak credentials, particularly targeting /+webvpn+/ endpoints
  • Apply Cisco ASA security patches addressing CVE-2020-3259 if not already implemented
  • Implement rate limiting and account lockout policies for VPN authentication attempts to mitigate future brute force campaigns
Threat Assessment
Threat Level HIGH
AI Verdict HIGH
Confidence 85%
Total Events 1,187,050
Indicators of Compromise
ip 45.142.193.233
MITRE ATT&CK
T1059 T1189 T1190
Captured Payloads (6)
medium AUTH_ATTACK https:443 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 Edg/144.0.3719.82Content-Length: 70Content-Type: application/x-www-form-urlencodedCookie: webvpnlogin=1; webvpnLang=enReferer: htt
medium CREDENTIAL https:8443 
POST /+webvpn+/index.html HTTP/1.1Host: [SENSOR-IP]:8443User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 Edg/144.0.3719.82
critical DESERIALIZE https:443 
spring1
medium MODBUS https:443 
quantum
low SCANNER https:443 
shodan
medium XSS https:443 
onerror=