Summary (Bottom Line Up Front)
IP address 65.49.1.66 conducted sustained multi-protocol reconnaissance targeting industrial control systems, network infrastructure, and enterprise services over a 6-week period from February 25 to April 6, 2026. The activity demonstrates medium-risk threat behavior with 62 recorded events spanning critical infrastructure protocols including Modbus, S7comm, and Kubernetes APIs. Organizations should implement enhanced monitoring for follow-up exploitation attempts and validate security controls across targeted service categories. ##
Activity Timeline
UPDATE 12026-04-06T21:48:59Z
Source: Analyst Manual Entry
IP address 65.49.1.66 conducted sustained multi-protocol reconnaissance targeting industrial control systems, network infrastructure, and enterprise services over a 6-week period from February 25 to April 6, 2026. The activity demonstrates medium-risk threat behavior with 62 recorded events spanning critical infrastructure protocols including Modbus, S7comm, and Kubernetes APIs. Organizations should implement enhanced monitoring for follow-up exploitation attempts and validate security controls across targeted service categories.
New findings
Attack Profile: Broad reconnaissance campaign targeting multiple attack surfaces including industrial control systems (ICS), network infrastructure, and cloud orchestration platforms. Activity spanned 10 unique destination ports with protocols including EtherNet/IP, Modbus, SMB, RSYNC, TELNET, and HTTPS.
Key Techniques: MITRE T1190 (Exploit Public-Facing Application) with evidence of credential capture attempts, Fortinet device probing, and ICS-specific reconnaissance. Notable attack patterns include Modbus broadcast attacks, S7comm COTP connection requests, and Kubernetes version enumeration.
Critical Findings: SMBv1 protocol detection attempts, Fortinet device path traversal probing (/lang/legacy/filechecksum), Kubernetes API version reconnaissance (port 6443), and Modbus function code 43 device identification queries.
IOCs: Source IP 65.49.1.66, SMB signature ff534d4272000000001843c800000000, User-Agent patterns targeting Kubernetes /version endpoint.
Recommendations
- Block source IP 65.49.1.66 at network perimeter and monitor for related infrastructure
- Disable SMBv1 protocol across all Windows systems and validate SMB signing enforcement
- Implement network segmentation between IT and OT environments with strict access controls for Modbus/S7comm protocols
- Enable enhanced logging for Kubernetes API server access and implement authentication for version endpoints
- Deploy additional monitoring for Fortinet device administrative interfaces and validate latest security patches
INITIAL REPORT2026-03-25T10:14:47Z
Source: Analyst Manual Entry
External IP 65.49.1.66 conducted sustained multi-protocol reconnaissance against critical infrastructure systems over a 27-day period, targeting Fortinet appliances, industrial control systems, and SMB services. This medium-risk activity demonstrates automated scanning behavior with potential for follow-up exploitation attempts. Network defenders should implement enhanced monitoring for the identified attack patterns and ensure critical systems are properly segmented and patched.
Technical details
Attack Overview: 62 events observed from February 25, 2026 06:00 through March 24, 2026 05:00, spanning multiple protocols including HTTP/HTTPS, Modbus, SMB, and TLS across 6 unique destination ports.
Primary Techniques: Reconnaissance activities (MITRE T1190 - Exploit Public-Facing Application) targeting Fortinet management interfaces via unknown path probes and login page enumeration, industrial control system attacks including Modbus broadcast reconnaissance and S7comm COTP connection attempts, and legacy SMBv1 protocol detection.
Key Indicators: Fortinet-specific path enumeration (/lang/legacy/filechecksum), S7comm industrial protocol connection requests on port 102, and vulnerable SMBv1 traffic signatures (ff534d4272000000001843c800000000) on port 445.
Assessment: Medium confidence (75%) threat classification with low zero-day probability (5%), indicating likely opportunistic scanning rather than targeted advanced persistent threat activity.
IOCs
IP:65.49.1.66
Recommendations
- Block traffic from 65.49.1.66 at network perimeter and monitor for similar reconnaissance patterns across the identified protocols
- Disable SMBv1 protocol organization-wide and ensure industrial control systems are properly network-segmented from corporate networks
- Review and harden Fortinet appliance configurations, ensuring non-standard administrative paths are disabled and strong authentication is enforced
- Implement enhanced monitoring for Modbus and S7comm protocols on ports 502 and 102 respectively, particularly for unauthorized connection attempts
- Conduct vulnerability assessments on public-facing applications and industrial control systems to identify potential exploitation targets