45.205.1.27

Summary (Bottom Line Up Front)

High-severity threat activity detected from Brazilian cloud infrastructure (45.205.1.27) conducting systematic reconnaissance and exploitation attempts against multiple network services from April 2nd through April 29th, 2026. The source IP maintains a maximum malicious reputation score and demonstrates persistent targeting behavior with 630 recorded security events. Immediate blocking and network hardening measures are recommended.

TCP TCP/SYN auto http

EXPLOIT PROTO_ABUSE

Activity Timeline

INITIAL REPORT2026-04-29T05:50:16Z

Source: Analyst Manual Entry

Technical details

The threat actor operated from AS215925 (Cloud Innovation Ltd) infrastructure, leveraging TCP and HTTP protocols to conduct reconnaissance (MITRE T1595.002) against 4 unique destination ports including 9001 and 8080. Attack patterns included 95 high-severity exploitation attempts and 70 protocol abuse incidents, with malformed HTTP requests indicating automated tooling. The source demonstrates characteristics consistent with botnet or scanning infrastructure, maintaining persistent activity over a 27-day period with no associated CVEs but clear intent to identify vulnerable services.

IOCs

IP:45.205.1.27

ASN:215925

COUNTRY:BR

Recommendations

Block source IP 45.205.1.27 and monitor for additional activity from AS215925 network range
Review and harden services running on ports 9001 and 8080, ensuring proper authentication and access controls
Implement enhanced monitoring for malformed HTTP requests and protocol anomalies on web-facing services
Cross-reference internal logs for any successful connections from this source during the April 2-29 timeframe
Consider blocking traffic from high-risk cloud providers if not required for business operations

HIGH EXPLOIT TCP:9001

ET DROP Dshield Block Listed Source group 1

MEDIUM PROTO_ABUSE TCP:8080

SURICATA HTTP request field missing colon