64.23.214.27

Summary (Bottom Line Up Front)

High-severity MQTT protocol attack detected from US-based IP 64.23.214.27 targeting industrial messaging infrastructure with suspicious hex-encoded payloads and persistent delivery flags. The attack demonstrates advanced knowledge of MQTT protocol exploitation techniques, potentially indicating protocol tunneling or data exfiltration attempts against operational technology networks. Immediate MQTT traffic monitoring and access controls are recommended.

TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ mqtt mqtts_tls_handshake

MQTT_ATTACK

Activity Timeline

INITIAL REPORT2026-03-23T09:28:22Z

Source: Analyst Manual Entry

Technical details

Attack Window: March 10, 2026, 05:00-06:00 UTC (43 events over 3-hour period)
Source: 64.23.214.27 (US-based, low AbuseIPDB reputation score 3/100)
Protocols: Multi-layer attack using TCP, TLS 1.0/1.2+, MQTT, and MQTTS with TLS handshake
Attack Vector: MQTT PUBLISH messages utilizing QoS 2 (guaranteed delivery) and Retain flag for broker persistence
Payload: Hex-encoded HTTP User-Agent strings suggesting browser fingerprinting or protocol tunneling
MITRE Technique: T0831 (Manipulation of Control)
Kill Chain Phase: Exploitation
IOCs: IP 64.23.214.27, MQTT PUBLISH with Retain + QoS 2 combination, hex-encoded User-Agent payloads

IOCs

IP:64.23.214.27

COUNTRY:US

Recommendations

Implement immediate monitoring and logging of all MQTT traffic, particularly PUBLISH messages with Retain flags and QoS 2 settings
Block or restrict access from 64.23.214.27 across all MQTT brokers and related infrastructure
Review MQTT broker configurations to disable unnecessary QoS levels and Retain message capabilities where not operationally required
Deploy network segmentation between IT and OT networks to limit MQTT protocol exposure to critical industrial systems
Establish baseline monitoring for unusual payload patterns in MQTT messages, especially hex-encoded or non-standard data formats