65.49.1.132

Summary (Bottom Line Up Front)

External IP address 65.49.1.132 conducted sustained reconnaissance activities from February 21 to April 18, 2026, targeting enterprise infrastructure including FortiGate appliances, industrial control systems, and network services across 13 unique ports. Assessment indicates LOW threat severity with moderate confidence, representing opportunistic scanning rather than targeted exploitation. Organizations should verify security posture of exposed services and monitor for potential escalation to active exploitation attempts. ##

EtherNet/IP HTTP LDAP Modbus S7comm SMB SMTP TCP TCP/SYN TELNET TLS TLS/1.0 TLS/1.2+ Unknown auto https modbus smb
FORTI_RECON FORTI_PROBE CREDENTIAL_CAPTURE FORTI_SSLVPN FORTI_API
Activity Timeline
UPDATE 12026-04-18T06:49:27Z
Source: Analyst Manual Entry
External IP address 65.49.1.132 conducted sustained reconnaissance activities from February 21 to April 18, 2026, targeting enterprise infrastructure including FortiGate appliances, industrial control systems, and network services across 13 unique ports. Assessment indicates LOW threat severity with moderate confidence, representing opportunistic scanning rather than targeted exploitation. Organizations should verify security posture of exposed services and monitor for potential escalation to active exploitation attempts.
New findings
Attack Profile: 50 events observed over 56-day period (February 21 14:00 - April 18 07:00) targeting diverse protocol stack including FortiGate SSL VPN endpoints, Modbus/S7comm industrial protocols, SMB file shares, and LDAP services. Primary activity focused on FortiGate reconnaissance (16 events) through login page enumeration, API probing, and SSL VPN login attempts against standard HTTPS ports. Industrial control system targeting included Modbus broadcast attacks (Unit ID=0, Function Code 43) on port 502 and S7comm connection requests. Legacy SMBv1 protocol detection indicates potential exploitation of known vulnerabilities.
MITRE ATT&CK Mapping: T1046 (Network Service Scanning) - Reconnaissance phase activities consistent with automated scanning tools performing service discovery and vulnerability assessment.
Key IOCs: Source IP 65.49.1.132, FortiGate-specific URI paths (/login, /remote/logincheck, /api/v2/static/not.found), Modbus broadcast queries, SMBv1 protocol signatures.
Recommendations
  • Implement network segmentation to isolate industrial control systems from internet-facing infrastructure and restrict cross-protocol access
  • Disable SMBv1 protocol across all Windows systems and network appliances to eliminate known vulnerability exposure
  • Review FortiGate SSL VPN configurations for proper access controls, multi-factor authentication, and login attempt rate limiting
  • Deploy network monitoring for unusual cross-protocol scanning patterns targeting both IT and OT environments
  • Verify security hardening of services on the 13 targeted destination ports, particularly Modbus (502) and HTTPS (443) endpoints
INITIAL REPORT2026-04-09T05:14:26Z
Source: Analyst Manual Entry
IP address 65.49.1.132 conducted sustained multi-protocol reconnaissance targeting FortiGate appliances, industrial control systems, and network services over a 47-day period from February 21 to April 9, 2026. The activity demonstrates broad scanning capabilities across enterprise and critical infrastructure protocols, assessed as LOW threat with 75% confidence. Organizations should review exposed services and implement enhanced monitoring for the identified attack patterns.
Technical details
Attack Profile: 50 events targeting 12 unique ports using protocols including FortiGate SSL VPN, Modbus, S7comm, SMB, LDAP, and HTTPS. Primary focus on FortiGate infrastructure with 12 distinct probes against login pages, API endpoints, and SSL VPN services. Industrial control system targeting observed via Modbus function code 43 (Read Device Identification) and S7comm COTP connection requests. Legacy SMBv1 protocol detection attempts identified. MITRE Technique: T1046 (Network Service Scanning) during reconnaissance phase. Key IOCs: Requests to `/remote/logincheck`, `/api/v2/static/not.found`, `/migadmin/lang/legacy/legacy/filechecksum`, and Modbus broadcast queries with Unit ID 0.
IOCs
IP:65.49.1.132
Recommendations
  • Block IP address 65.49.1.132 at network perimeters and review logs for similar multi-protocol scanning patterns
  • Disable SMBv1 protocol across all systems and ensure FortiGate appliances are updated with latest security patches
  • Implement enhanced monitoring for Modbus function code 43 and S7comm connection attempts on industrial networks
  • Review and restrict external access to FortiGate management interfaces, SSL VPN portals, and API endpoints
  • Deploy network segmentation between IT and OT environments to limit cross-protocol reconnaissance capabilities
Threat Assessment
Threat Level LOW
AI Verdict LOW
Confidence 65%
Total Events 195
Indicators of Compromise
ip 65.49.1.132
Captured Payloads (7)
HIGH EXPLOIT TCP:10443 
ET DROP Dshield Block Listed Source group 1
medium FORTI_API https:443 
/api/v2/static/not.found
medium FORTI_PROBE https:443 
/migadmin/lang/legacy/legacy/filechecksum
medium FORTI_RECON https:443 
/login
medium FORTI_SSLVPN https:443 
/remote/logincheck
medium ICS_ATTACK modbus:502 
Broadcast Unit ID=0 FC=43
medium SMB smb:445 
SMBv1 protocol detected (vulnerable): ff534d4272000000001843c800000000