Summary (Bottom Line Up Front)
Malaysian IP address 47.250.189.15 conducted automated reconnaissance scanning against Kubernetes API server infrastructure (port 6443) on March 3, 2026 at approximately 17:00 UTC. This represents low-severity threat activity focused on service discovery rather than active exploitation. Immediate blocking is recommended to prevent further infrastructure mapping.
Activity Timeline
INITIAL REPORT2026-03-21T15:14:17Z
Source: Analyst Manual Entry
Malaysian IP address 47.250.189.15 conducted automated reconnaissance scanning against Kubernetes API server infrastructure (port 6443) on March 3, 2026 at approximately 17:00 UTC. This represents low-severity threat activity focused on service discovery rather than active exploitation. Immediate blocking is recommended to prevent further infrastructure mapping.
Technical details
- Attack Vector: Automated scanning using curl against TCP port 6443 (Kubernetes API server)
- Volume: 21 events over 5-second timeframe indicating rapid automated activity
- Protocols: TCP, TLS 1.0, HTTPS
- MITRE Technique: T1595.002 (Active Scanning: Vulnerability Scanning)
- Kill Chain Phase: Reconnaissance
- Threat Level: LOW (85% confidence)
- IOC: 47.250.189.15 (AbuseIPDB score: 100/100)
- Geographic Origin: Malaysia
- Attack Pattern: Bot-like user agent scanning behavior
IOCs
IP:47.250.189.15
COUNTRY:MY
Recommendations
- Block IP address 47.250.189.15 at perimeter firewalls and web application firewalls
- Review Kubernetes API server exposure and implement IP allowlisting if publicly accessible
- Monitor for additional reconnaissance activity targeting container orchestration platforms
- Enhance logging for port 6443 access attempts to detect similar scanning patterns
- Verify Kubernetes API server authentication and authorization configurations are properly hardened