Summary (Bottom Line Up Front)
External IP 50.61.47.93 (Saudi Telecom Company JSC, Riyadh) conducted SMBv1 reconnaissance targeting non-standard port configurations during a 3-hour window on 2026-03-04. Assessment: HIGH risk due to legacy SMB protocol exploitation potential and unusual port targeting behavior. Immediate action required to audit SMB exposure and implement protocol restrictions.
Activity Timeline
INITIAL REPORT2026-03-15T09:49:08Z
Source: Analyst Manual Entry
External IP 50.61.47.93 (Saudi Telecom Company JSC, Riyadh) conducted SMBv1 reconnaissance targeting non-standard port configurations during a 3-hour window on 2026-03-04. Assessment: HIGH risk due to legacy SMB protocol exploitation potential and unusual port targeting behavior. Immediate action required to audit SMB exposure and implement protocol restrictions.
Technical details
- Source: 50.61.47.93 (AS25019, Saudi Arabia, clean reputation)
- Activity Window: 2026-03-04 04:00-07:00 UTC (24 events)
- Protocols: SMBv1 (NT LM 0.12 dialect), TCP reconnaissance
- Target Ports: Non-standard SMB port configurations
- MITRE Technique: T1021.002 (SMB/Windows Admin Shares)
- Kill Chain Phase: Reconnaissance
- Pattern Analysis: Consistent SMBv1 detection signatures with potential evasion characteristics
- IOC: 50.61.47.93
IOCs
IP:50.61.47.93
ASN:25019
COUNTRY:SA
Recommendations
- Block SMBv1 protocol organization-wide and enforce SMBv2/v3 minimum requirements
- Audit all systems with SMB services exposed on non-standard ports and restrict external access
- Implement network segmentation to isolate SMB-dependent systems from internet-facing networks
- Deploy enhanced monitoring for T1021.002 lateral movement attempts across internal networks
- Review firewall rules to ensure SMB ports (445, 139, and custom implementations) are not externally accessible