64.62.197.122

Summary (Bottom Line Up Front)

IP address 64.62.197.122 conducted sustained reconnaissance against network infrastructure and industrial control systems over a 52-day period from February 19 to April 11, 2026, generating 58 security events. The activity primarily targeted FortiGate and Palo Alto security appliances alongside Modbus industrial protocols, indicating potential preparation for targeted attacks against enterprise and OT environments. Organizations should implement enhanced monitoring for the identified attack patterns and block the source IP immediately. ##

HTTP Modbus TCP TCP/SYN TELNET TLS TLS/1.0 TLS/1.2+ auto https modbus smtp
FORTI_PROBE FORTI_RECON CREDENTIAL_CAPTURE FORTI_API PANOS_PROBE
Activity Timeline
UPDATE 22026-04-12T06:24:00Z
Source: Analyst Manual Entry
IP address 64.62.197.122 conducted sustained reconnaissance against network infrastructure and industrial control systems over a 52-day period from February 19 to April 11, 2026, generating 58 security events. The activity primarily targeted FortiGate and Palo Alto security appliances alongside Modbus industrial protocols, indicating potential preparation for targeted attacks against enterprise and OT environments. Organizations should implement enhanced monitoring for the identified attack patterns and block the source IP immediately.
New findings
The threat actor employed multi-protocol reconnaissance spanning HTTP/HTTPS, Modbus, TELNET, SMTP, and various TLS versions across 11 unique destination ports. Primary attack vectors included FortiGate SSL VPN probing (`/remote/logincheck`, `/login`), API enumeration (`/api/v2/static/not.found`), and administrative interface discovery (`/migadmin/lang/legacy/legacy/filechecksum`). Industrial control system targeting involved Modbus broadcast attacks using Function Code 43 (Read Device Identification) with Unit ID 0 on port 502. The campaign maps to MITRE ATT&CK technique T1046 (Network Service Scanning) within the Reconnaissance phase. Additional Palo Alto Networks device targeting included attempts against management interfaces on port 4443 (`/logon/LogonPoint/index.html`, `/php/login.php`). The 58-event volume over 52 days suggests methodical, low-and-slow reconnaissance designed to evade detection thresholds.
Recommendations
  • Block IP address 64.62.197.122 at network perimeter and implement monitoring for similar multi-protocol scanning patterns
  • Review and harden FortiGate SSL VPN configurations, ensuring administrative interfaces are not exposed to untrusted networks
  • Implement network segmentation between IT and OT environments, with enhanced monitoring for Modbus Function Code 43 traffic
  • Deploy additional logging and alerting for management interface access attempts on security appliances (ports 443, 4443)
  • Conduct threat hunting for similar reconnaissance patterns targeting `/remote/logincheck`, `/api/v2/static/not.found`, and Modbus broadcast communications
UPDATE 12026-04-11T08:37:32Z
Source: Analyst Manual Entry
IP address 64.62.197.122 conducted sustained reconnaissance against network infrastructure and industrial control systems over 52 days (February 19 - April 11, 2026), generating 58 security events targeting 11 unique ports. The activity represents low-severity opportunistic scanning with primary focus on FortiGate and Palo Alto firewalls, plus limited Modbus/ICS probing. Recommend standard defensive hardening and monitoring for affected infrastructure types.
New findings
Attack Profile: Broad reconnaissance campaign targeting enterprise security appliances and industrial systems across HTTP/HTTPS (ports 443, 4443), Modbus (port 502), TELNET, and SMTP protocols. Primary techniques included web application enumeration, authentication bypass attempts, and ICS device identification queries.
Key Patterns: FortiGate-focused activity dominated (14 events) including SSL VPN login attempts, API probing, and administrative interface reconnaissance. Palo Alto Networks devices targeted with 4 events focusing on management interfaces. Notable ICS activity included Modbus broadcast attacks using Function Code 43 (Read Device Identification) with Unit ID 0.
IOCs: 64.62.197.122 targeting paths `/api/v2/static/not.found`, `/remote/logincheck`, `/login`, `/migladmin/lang/legacy/legacy/filechecksum`, `/logon/LogonPoint/index.html`, and Modbus broadcast queries on port 502.
Recommendations
  • Implement rate limiting and geo-blocking for management interfaces on FortiGate and Palo Alto devices
  • Monitor for unusual Modbus traffic patterns, particularly broadcast queries (Unit ID 0) and device identification requests
  • Review and harden SSL VPN configurations, ensuring multi-factor authentication is enforced
  • Deploy network segmentation between IT infrastructure and ICS/SCADA networks to limit cross-protocol reconnaissance
  • Enable detailed logging for firewall management interfaces and establish baseline traffic patterns for anomaly detection
INITIAL REPORT2026-04-08T19:24:14Z
Source: Analyst Manual Entry
Threat actor operating from IP 64.62.197.122 conducted a sustained 7-week campaign targeting enterprise network infrastructure and industrial control systems, generating 58 attack events between February 19th and April 8th, 2026. The campaign demonstrates MEDIUM threat severity with sophisticated tooling targeting FortiGate firewalls, Palo Alto Networks devices, and Modbus-enabled ICS equipment. Organizations should immediately review access controls for network infrastructure devices and implement enhanced monitoring for the identified attack patterns.
Technical details
The attacker employed a multi-protocol approach spanning HTTP, HTTPS, Modbus, Telnet, SMTP, and various TLS implementations across 11 unique destination ports. Primary attack vectors included credential harvesting (MITRE T1110.001) targeting FortiGate SSL VPN endpoints (/remote/logincheck) and administrative interfaces (/login), reconnaissance against Palo Alto Networks devices via non-standard ports (4443/https), and industrial control system exploitation using Modbus Function Code 43 (Read Device ID) operations. Notable payload patterns include probing of legacy FortiGate paths (/migadmin/lang/legacy/legacy/filechecksum), API enumeration (/api/v2/static/not.found), and attempts to access PAN-OS administrative functions (/php/login.php). The campaign's 85% confidence rating and sustained duration indicate organized threat actor involvement rather than opportunistic scanning.
IOCs
IP:64.62.197.122
Recommendations
  • Block IP 64.62.197.122 at network perimeter and review firewall logs for similar connection attempts to administrative interfaces
  • Implement additional authentication controls for FortiGate SSL VPN and administrative access, particularly monitoring /remote/logincheck and /login endpoints
  • Restrict Modbus protocol access (port 502) to authorized networks only and monitor for Function Code 43 Read Device ID requests from unauthorized sources
  • Review Palo Alto Networks device configurations to ensure management interfaces are not exposed on non-standard ports like 4443
  • Deploy network segmentation between IT infrastructure and industrial control systems to limit lateral movement opportunities
Threat Assessment
Threat Level HIGH
AI Verdict LOW
Confidence 85%
Total Events 189
Indicators of Compromise
ip 64.62.197.122
Captured Payloads (7)
medium FORTI_API https:443 
/api/v2/static/not.found
medium FORTI_PROBE https:443 
/migadmin/lang/legacy/legacy/filechecksum
medium FORTI_RECON https:443 
/login
medium FORTI_SSLVPN https:443 
/remote/logincheck
medium ICS_ATTACK modbus:502 
Broadcast Unit ID=0 FC=43
LOW PANOS_PROBE https:4443 
/logon/LogonPoint/index.html
LOW PANOS_RECON https:4443 
/php/login.php