Summary (Bottom Line Up Front)
A medium-severity credential stuffing attack was observed from IP 64.89.161.182 (Luxembourg) targeting authentication services with weak credentials over a brief timeframe on March 9, 2026. The attacker conducted 214 events within one minute using HTTP Basic Authentication, specifically targeting proxy services with default credentials "ubuntu:1234qwer". Organizations should immediately audit for weak credentials and implement enhanced authentication monitoring.
Activity Timeline
UPDATE 22026-03-22T08:20:09Z
Source: Analyst Manual Entry
A medium-severity credential stuffing attack was observed from IP 64.89.161.182 (Luxembourg) targeting authentication services with weak credentials over a brief timeframe on March 9, 2026. The attacker conducted 214 events within one minute using HTTP Basic Authentication, specifically targeting proxy services with default credentials "ubuntu:1234qwer". Organizations should immediately audit for weak credentials and implement enhanced authentication monitoring.
New findings
The attack originated from 64.89.161.182 (ASN: ASNone, Luxembourg) with a maximum AbuseIPDB reputation score of 100/100, indicating known malicious activity. Attack activity occurred between 18:00-19:00 UTC on March 9, 2026, utilizing TCP and TCP/SYN protocols against a single destination port. Primary attack vectors included credential stuffing via HTTP Basic Authentication headers (28 hits) and default authentication attempts (2 hits), mapped to MITRE technique T1110.001 (Password Spraying). The attacker maintained open ports 22 (SSH) and 443 (HTTPS), suggesting potential command and control capabilities. Attack patterns focused on CREDENTIAL and AUTH_ATTACK types, indicating automated credential validation attempts against proxy services.
Recommendations
- Immediately block IP 64.89.161.182 at network perimeters and review logs for any successful authentication attempts
- Audit all systems for default credentials, particularly "ubuntu:1234qwer" and other weak password combinations
- Implement rate limiting and account lockout policies for authentication services, especially proxy and web applications
- Deploy enhanced monitoring for HTTP Basic Authentication attempts and unusual authentication patterns
- Review and strengthen password policies across all services, mandating complex passwords and multi-factor authentication where possible
UPDATE 12026-03-10T17:18:40Z
Source: Analyst Manual Entry
Threat actor operating from 64.89.161.182 (Ghosty Networks LLC/AS205759) conducted intensive HTTP basic authentication attacks targeting web services on March 9, 2026 at 18:00 UTC. The attacker generated 214 malicious events within a 1-minute window, achieving maximum abuse reputation scores and demonstrating focused credential harvesting objectives. Immediate blocking and authentication hardening measures are recommended.
New findings
- Attack Vector: HTTP basic authentication brute force via TCP protocols
- Volume: 214 attack events concentrated in 60-second timeframe indicating automated tooling
- Primary Techniques: Basic authentication header manipulation (28 instances), default credential testing (2 instances)
- MITRE ATT&CK Mapping: T1110.001 (Brute Force: Password Guessing), T1078 (Valid Accounts)
- Infrastructure: Luxembourg-based hosting (AS205759 Ghosty Networks LLC) with ports 22/443 exposed
- IOCs: 64.89.161.182, AS205759, attack pattern focused on single destination port
- Threat Assessment: High-confidence malicious actor with established abuse history (100/100 AbuseIPDB score)
Recommendations
- Block 64.89.161.182 and monitor for additional Ghosty Networks (AS205759) infrastructure at network perimeter
- Implement rate limiting and account lockout policies for HTTP basic authentication endpoints
- Deploy multi-factor authentication for all web-accessible services using basic auth
- Monitor authentication logs for unusual patterns and failed login attempts from hosting providers
- Consider blocking or restricting traffic from bulletproof hosting ASNs in Luxembourg region
INITIAL REPORT2026-03-10T12:24:49Z
Source: Analyst Manual Entry
Threat actor operating from 64.89.161.182 (Ghosty Networks LLC/AS205759) conducted intensive HTTP basic authentication attacks against web services on March 9, 2026 at 18:00 UTC. The attacker generated 214 malicious events within a one-minute window, demonstrating automated credential stuffing capabilities with maximum AbuseIPDB reputation score (100/100). Immediate blocking and credential security review recommended.
Technical details
The threat actor leveraged TCP protocols to execute concentrated authentication attacks, primarily utilizing HTTP basic authentication vectors with default credential attempts. Attack volume peaked at 214 events between 18:14-18:15 UTC, indicating automated tooling deployment. Primary techniques align with MITRE ATT&CK T1110 (Brute Force) and T1078 (Valid Accounts), with credential-based attack patterns comprising 30 total authentication attempts. Source infrastructure shows no reverse DNS resolution and operates from Luxembourg-based hosting provider with established abuse history. Key IOC: 64.89.161.182 with exposed SSH (22) and HTTPS (443) services.
IOCs
IP:64.89.161.182
ASN:205759
COUNTRY:LU
Recommendations
- Block source IP 64.89.161.182 and consider ASN-level filtering for AS205759 (Ghosty Networks LLC)
- Implement rate limiting on HTTP basic authentication endpoints to prevent rapid-fire credential attempts
- Review authentication logs for successful logins during the 18:00 UTC timeframe on March 9, 2026
- Deploy multi-factor authentication on web services utilizing basic authentication schemes
- Monitor for similar attack patterns from Luxembourg-based hosting providers with poor reputation scores