Summary (Bottom Line Up Front)
External threat actor conducted systematic reconnaissance against Kubernetes infrastructure from IP 49.37.64.43 between March 13-14, 2026, targeting kubelet API endpoints to enumerate cluster configuration and running workloads. This activity represents a MEDIUM threat level with 85% confidence, indicating potential cluster misconfiguration allowing unauthorized access to sensitive node metrics. Immediate review and hardening of Kubernetes API security controls is recommended.
Activity Timeline
UPDATE 22026-03-15T09:47:20Z
Source: Analyst Manual Entry
External threat actor conducted systematic reconnaissance against Kubernetes infrastructure from IP 49.37.64.43 between March 13-14, 2026, targeting kubelet API endpoints to enumerate cluster configuration and running workloads. This activity represents a MEDIUM threat level with 85% confidence, indicating potential cluster misconfiguration allowing unauthorized access to sensitive node metrics. Immediate review and hardening of Kubernetes API security controls is recommended.
New findings
Threat actor executed 231 attack events over 22 hours using HTTP/HTTPS protocols and TLS 1.0 connections across 2 unique destination ports. Primary reconnaissance focused on kubelet API endpoints including /configz, /pods, /logs, /metrics, and /spec using kubectl v1.28.0 client. Activity aligns with MITRE ATT&CK technique T1592.004 (Gather Victim Network Information: Client Configurations) during the reconnaissance phase of the cyber kill chain. Source IP 49.37.64.43 originates from Reliance Jio Infocomm Limited (AS55836) in India with a moderate AbuseIPDB reputation score of 50/100.
Recommendations
- Immediately audit Kubernetes kubelet API authentication and authorization configurations to prevent unauthorized access to node metrics and configuration data
- Implement network segmentation to restrict external access to kubelet APIs (default port 10250) and ensure proper firewall rules are in place
- Enable comprehensive logging for all Kubernetes API interactions and establish monitoring for unusual kubectl client activity patterns
- Review and harden TLS configurations to disable deprecated protocols like TLS 1.0 across all Kubernetes components
- Block traffic from IP 49.37.64.43 and monitor for similar reconnaissance patterns targeting Kubernetes infrastructure endpoints
UPDATE 12026-03-14T17:37:57Z
Source: batch_hunting
External threat actor conducted systematic reconnaissance against Kubernetes infrastructure from IP 49.37.64.43 (Reliance Jio Infocomm Limited/India) between March 13-14, 2026, targeting kubelet API endpoints to enumerate cluster configuration and running workloads. This activity represents a MEDIUM threat level indicating potential cluster misconfiguration allowing unauthorized access to sensitive operational data. Immediate review of Kubernetes API security controls and network segmentation is recommended.
New findings
Threat actor executed 171 reconnaissance events over 22-hour period using kubectl v1.28.0 client, primarily targeting kubelet metrics and configuration endpoints. Attack patterns focused on /configz, /pods, /logs, /metrics, and /spec endpoints via HTTP/HTTPS protocols on 2 unique destination ports. Activity maps to MITRE technique T1592.004 (Gather Victim Network Information: Client Configurations) within the reconnaissance phase of the cyber kill chain. Key IOC: 49.37.64.43 (ASN AS55836, AbuseIPDB score 50/100).
Recommendations
- Implement network segmentation to restrict external access to kubelet API endpoints (default port 10250)
- Enable kubelet authentication and authorization controls to prevent anonymous access to sensitive endpoints
- Deploy monitoring for unusual kubectl client activity and unauthorized API enumeration attempts
- Review firewall rules to ensure Kubernetes management interfaces are not exposed to untrusted networks
- Conduct security audit of cluster RBAC policies and service account permissions
INITIAL REPORT2026-03-14T10:40:59Z
Source: Analyst Manual Entry
External actor from Indian ISP infrastructure conducted systematic Kubernetes reconnaissance against internet-facing cluster endpoints over 20-hour period. Medium threat level assessed based on 114 events targeting kubelet API endpoints using kubectl v1.28.0 client. Activity demonstrates methodical enumeration of cluster configuration, pod information, and metrics endpoints consistent with pre-exploitation reconnaissance.
Technical details
Actor utilized HTTP/HTTPS protocols over TCP connections, specifically targeting Kubernetes kubelet API endpoints on 2 unique destination ports. Observed attack patterns included systematic probing of `/configz`, `/pods`, `/logs`, `/metrics`, `/spec`, and `/healthz` endpoints - all standard kubelet API paths used for cluster administration. Traffic exhibited characteristics consistent with kubectl v1.28.0 client requests based on User-Agent patterns and request formatting. Activity maps to MITRE ATT&CK technique T1592.004 (Gather Victim Network Information: Client Configurations) within the Reconnaissance tactic. No CVE exploitation attempts observed; activity focused on information gathering from misconfigured or exposed kubelet APIs. Source IP 49.37.64.43 originates from Reliance Jio Infocomm Limited (AS55836) with moderate abuse reputation score of 40/100.
IOCs
IP:49.37.64.43
ASN:55836
COUNTRY:IN