50.72.175.209

Summary (Bottom Line Up Front)

IP address 50.72.175.209 conducted sustained credential capture attacks against Telnet services over a 2-hour period on March 29, 2026, generating 1,429 malicious events between 04:00-07:00 UTC. This represents a MEDIUM threat level focused on credential harvesting operations. Network defenders should immediately review Telnet access controls and monitor for unauthorized authentication attempts.

TCP TCP/SYN TELNET Telnet

CREDENTIAL_CAPTURE

Activity Timeline

INITIAL REPORT2026-03-31T07:20:49Z

Source: Analyst Manual Entry

Technical details

The threat actor executed 306 credential capture attempts via Telnet protocol, demonstrating persistent authentication retry behavior consistent with credential stuffing or brute force attacks. Attack patterns included repeated authentication attempts (204 auth_retry events) and standard authentication probes (102 auth events) concentrated against a single destination port. The 2+ hour sustained attack window indicates automated tooling rather than manual reconnaissance. No CVEs were exploited, suggesting the actor relied on weak credential policies rather than technical vulnerabilities. The activity aligns with MITRE ATT&CK T1110 (Brute Force) techniques targeting credential access.

IOCs

IP:50.72.175.209

Recommendations

Block IP address 50.72.175.209 at network perimeter and review firewall rules for Telnet (port 23) exposure
Implement account lockout policies and rate limiting for Telnet authentication attempts to prevent brute force attacks
Audit all Telnet-accessible systems for default or weak credentials and enforce strong password policies
Deploy network monitoring for unusual authentication patterns and failed login attempts across remote access services
Consider migrating from Telnet to SSH for encrypted remote access where operationally feasible