Summary (Bottom Line Up Front)
IP address 65.49.1.108 conducted a 41-day reconnaissance campaign from March 8-April 18, 2026, targeting industrial control systems and network infrastructure across 14 unique ports using multiple protocols including S7comm, RDP, and Fortinet device probes. Despite the broad attack surface and ICS targeting, this activity is assessed as opportunistic scanning with LOW threat level based on limited attack volume (104 total events) and classification as known noise traffic. Network defenders should implement standard hardening measures for exposed ICS and remote access services. ##
Activity Timeline
UPDATE 12026-04-18T17:27:06Z
Source: Analyst Manual Entry
IP address 65.49.1.108 conducted a 41-day reconnaissance campaign from March 8-April 18, 2026, targeting industrial control systems and network infrastructure across 14 unique ports using multiple protocols including S7comm, RDP, and Fortinet device probes. Despite the broad attack surface and ICS targeting, this activity is assessed as opportunistic scanning with LOW threat level based on limited attack volume (104 total events) and classification as known noise traffic. Network defenders should implement standard hardening measures for exposed ICS and remote access services.
New findings
Attack Profile: Multi-protocol reconnaissance spanning FTP, HTTP, MQTT, RDP, SMTP, TELNET, and TLS services over 41-day period. Key Techniques: S7comm COTP connection requests targeting industrial PLCs (T0846 - Remote System Discovery), RDP scanning via x224 requests, credential capture attempts, and Fortinet device enumeration through API probes and administrative path discovery. Attack Volume: 104 total events with peak activity targeting HTTPS (443) and SMTP (25) services. Notable Payloads: S7comm industrial protocol probes on port 102, Fortinet API enumeration at `/api/v2/static/not.found`, and administrative path probing at `/migladmin/lang/legacy/legacy/filechecksum`. IOCs: Source IP 65.49.1.108 flagged by DShield blocklist, unknown ASN attribution, no VPN usage detected.
Recommendations
- Implement network segmentation to isolate ICS/SCADA systems from internet-facing infrastructure and restrict S7comm protocol access to authorized management networks only
- Deploy enhanced monitoring for Fortinet device administrative interfaces and disable unnecessary API endpoints while ensuring firmware is current against known vulnerabilities
- Strengthen RDP security by disabling service on internet-facing systems, implementing network-level authentication, and requiring VPN access for remote administration
- Configure rate limiting and geo-blocking for SMTP, FTP, and TELNET services to reduce reconnaissance attack surface
- Add IP 65.49.1.108 to organizational blocklists and monitor for similar multi-protocol scanning patterns across the 14 observed destination ports
INITIAL REPORT2026-04-07T16:36:32Z
Source: Analyst Manual Entry
Source IP 65.49.1.108 conducted sustained reconnaissance activity from March 8-April 7, 2026, targeting industrial control systems, FortiGate appliances, and remote access services across 14 unique ports. The campaign demonstrates medium-severity threat activity with deliberate targeting of ICS environments and network infrastructure. Organizations should immediately review access controls for exposed industrial systems and implement enhanced monitoring for the identified attack patterns.
Technical details
Attack Summary: 104 events observed over 30-day period (March 8 04:00 - April 7 16:00 UTC) targeting multiple protocols including S7comm industrial communications, FortiGate management interfaces, and RDP services. Primary activity classified as reconnaissance phase (MITRE T1046 - Network Service Scanning) with evidence of credential capture attempts and API enumeration.
Key Indicators:
- Protocols Targeted: FTP, HTTP, MQTT, RDP, TELNET, TLS, SMTP
- Critical Findings: S7comm COTP connection requests on port 102 indicating Siemens PLC targeting
- FortiGate Exploitation: API probing (/api/v2/static/not.found) and administrative path enumeration (/migladmin/lang/legacy/legacy/filechecksum)
- Attack Patterns: ICS_ATTACK, CREDENTIAL_CAPTURE, RDP_SCAN, FORTI_PROBE techniques observed
IOCs: 65.49.1.108 (no ASN/geolocation data available, no reverse DNS resolution)
IOCs
IP:65.49.1.108
Recommendations
- Block source IP 65.49.1.108 at network perimeter and review firewall logs for similar scanning patterns across industrial protocol ports (102, 502, 44818)
- Audit FortiGate appliance configurations and disable unnecessary API endpoints; implement additional authentication controls for administrative interfaces
- Restrict RDP access to essential personnel only and implement network segmentation between IT and OT environments
- Deploy enhanced monitoring for S7comm and other industrial protocol communications, particularly unsolicited connection attempts from external sources
- Conduct immediate inventory of exposed industrial control systems and remove unnecessary internet-facing ICS services