66.132.153.123

Summary (Bottom Line Up Front)

IP address 66.132.153.123 conducted automated reconnaissance against FortiGate appliances and industrial control systems over a 12-day period from March 4-16, 2026. This represents medium-severity preparatory activity for potential follow-on attacks against network security infrastructure and ICS environments. Organizations should immediately audit FortiGate configurations and monitor for credential brute force attempts. ##

HTTP Oracle/TNS TCP TCP/SYN TLS TLS/1.0 https modbus oracle

Activity Timeline

UPDATE 12026-04-16T17:38:20Z

Source: Analyst Manual Entry

New findings

Attack Profile: 42 events across HTTP/HTTPS, Oracle TNS, TLS, and Modbus protocols targeting 4 unique destination ports. Primary focus on FortiGate appliance discovery through login page identification and path enumeration, supplemented by industrial control system reconnaissance via Modbus broadcast attacks and device identification queries.

MITRE Mapping: T1592.002 (Gather Victim Host Information: Software) - attacker systematically identified network security appliances and industrial systems.

Key Indicators: FortiGate login interface discovery, Modbus function code 43 device identification requests, robots.txt enumeration, and automated scanning patterns consistent with masscan tooling.

Threat Assessment: Medium confidence (85%) automated reconnaissance representing initial kill chain phase, with 5% probability of zero-day exploitation capability.

Recommendations

Block IP 66.132.153.123 at network perimeter and correlate against internal logs for successful authentication attempts
Review FortiGate access controls and implement additional authentication factors if not already deployed
Monitor Modbus traffic on port 502 for unauthorized device enumeration and implement network segmentation for ICS environments
Enable enhanced logging on network security appliances to detect similar reconnaissance patterns
Conduct immediate audit of exposed management interfaces and restrict access to authorized IP ranges only

INITIAL REPORT2026-04-10T14:58:01Z

Source: Analyst Manual Entry

IP address 66.132.153.123 conducted automated reconnaissance against FortiGate appliances and industrial control systems over a 12-day period from March 4-16, 2026. The activity represents initial attack phases with medium threat level, indicating potential preparation for credential attacks or vulnerability exploitation. Network defenders should immediately audit FortiGate configurations and monitor for follow-on attack activity from this source.

Technical details

The attacker executed 42 events across multiple protocols including HTTP/HTTPS, Oracle/TNS, Modbus, and TLS, targeting 4 unique destination ports. Primary techniques included FortiGate login page identification (T1592.002 - Gather Victim Host Information: Software) and industrial control system reconnaissance via Modbus protocol queries. Attack patterns focused on FortiGate appliance discovery through /robots.txt requests and device identification using Modbus Function Code 43 (Read Device ID). The campaign utilized automated scanning tools including Masscan and demonstrated knowledge of both enterprise network security appliances and operational technology environments. AbuseIPDB scoring of 100/100 indicates established malicious reputation with high confidence assessment of 85%.

IOCs

IP:66.132.153.123

COUNTRY:US

Recommendations

Block IP address 66.132.153.123 at perimeter firewalls and update threat intelligence feeds
Audit FortiGate appliance configurations to ensure admin interfaces are not exposed to untrusted networks
Review Modbus-enabled devices for proper network segmentation and access controls
Monitor for subsequent credential brute force attempts against identified FortiGate login interfaces
Implement enhanced logging for Oracle/TNS and industrial protocol communications to detect follow-on activity

medium FORTI_PROBE https:443

/robots.txt

medium ICS_ATTACK modbus:502

Broadcast Unit ID=0 FC=43