66.132.153.127

Summary (Bottom Line Up Front)

IP address 66.132.153.127 conducted an 11-day reconnaissance campaign from March 1-12, 2026, targeting Fortinet appliances and SMTP services with 141 recorded events. The threat actor demonstrates medium-severity scanning behavior focused on network infrastructure enumeration. Organizations should immediately review Fortinet device exposure and implement enhanced monitoring for reconnaissance activities.

HTTP Modbus TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ https smtp

Activity Timeline

INITIAL REPORT2026-03-14T17:48:35Z

Source: batch_hunting

Technical details

The threat actor operated across multiple protocols including HTTP/HTTPS, TLS (1.0, 1.2+), SMTP, Modbus, and raw TCP connections, targeting 5 unique destination ports. Primary attack vectors included Fortinet appliance reconnaissance (fortigate_login_page, fortigate_unknown_path), automated scanning consistent with Censys infrastructure mapping, and SMTP service enumeration via EHLO commands. The campaign maps to MITRE ATT&CK techniques T1595.002 (Active Scanning: Vulnerability Scanning) and T1590.001 (Gather Victim Network Information: Domain Properties). The source IP maintains a maximum AbuseIPDB reputation score of 100/100, indicating confirmed malicious activity across multiple reporting sources.

IOCs

IP:66.132.153.127

COUNTRY:US

Recommendations

Implement immediate blocking of IP 66.132.153.127 across all network perimeters and security appliances
Audit external exposure of Fortinet management interfaces and restrict access to authorized IP ranges only
Deploy enhanced logging and alerting for reconnaissance patterns targeting administrative login pages
Review SMTP service configurations to ensure proper access controls and disable unnecessary EHLO responses
Establish monitoring for multi-protocol scanning activities originating from single source IPs within short timeframes