66.132.172.138

Summary (Bottom Line Up Front)

IP address 66.132.172.138 conducted extensive multi-protocol reconnaissance over 42 days (April 2-May 14, 2026), generating 667 security events targeting industrial control systems, Kubernetes infrastructure, and network services. Despite high-severity exploit signatures, this activity is assessed as automated scanning with LOW operational threat level. Network defenders should verify ICS/OT network segmentation and monitor for follow-on targeted activity. ##

ENIP EtherNet/IP HTTP IEC-104 IEC104 OPCUA SMTP SSH TCP TCP/SYN TLS TLS/1.0 http https https_tls_handshake
PROTO_ABUSE SCANNER EXPLOIT FORTI_RECON
Activity Timeline
INITIAL REPORT2026-05-14T19:01:27Z
Source: Analyst Manual Entry
IP address 66.132.172.138 conducted extensive multi-protocol reconnaissance over 42 days (April 2-May 14, 2026), generating 667 security events targeting industrial control systems, Kubernetes infrastructure, and network services. Despite high-severity exploit signatures, this activity is assessed as automated scanning with LOW operational threat level. Network defenders should verify ICS/OT network segmentation and monitor for follow-on targeted activity.
Technical details
Attack Profile: Sustained reconnaissance campaign spanning industrial protocols (EtherNet/IP, IEC-104, OPC-UA), container orchestration (Kubernetes etcd), and standard services (HTTP/HTTPS, SMTP, SSH). Primary techniques include service enumeration, protocol abuse, and vulnerability scanning across 10 unique destination ports.
Key Findings:
  • Volume: 667 events over 42-day period with consistent activity pattern
  • Protocols: Industrial focus on ENIP, IEC-104, OPC-UA alongside IT protocols
  • Attack Vectors: Protocol confusion attacks, service discovery, login page enumeration
  • Notable Payloads: Kubernetes etcd version disclosure, Fortinet device reconnaissance, Censys scanning signatures
  • MITRE Mapping: T1046 (Network Service Scanning), T1082 (System Information Discovery)
IOCs
  • Source IP: 66.132.172.138 (AbuseIPDB score: 100/100)
  • User-Agent: Censys scanning infrastructure
  • Target ports include industrial protocols and container orchestration services
IOCs
IP:66.132.172.138
COUNTRY:US
Recommendations
  • Implement network segmentation to isolate ICS/OT networks from internet-facing infrastructure and restrict cross-protocol communication
  • Deploy protocol-aware monitoring for industrial control system protocols (EtherNet/IP, IEC-104, OPC-UA) to detect anomalous scanning behavior
  • Review Kubernetes etcd service exposure and implement proper authentication/authorization controls for container orchestration platforms
  • Block source IP 66.132.172.138 at perimeter firewalls and add to threat intelligence feeds for 90-day monitoring period
  • Conduct asset inventory review to identify and secure any inadvertently exposed industrial control systems or container management interfaces
Threat Assessment
Threat Level LOW
AI Verdict NOISE
Confidence 95%
Total Events 731
AbuseIPDB 100/100
Indicators of Compromise
ip 66.132.172.138
country US
Captured Payloads (7)
HIGH EXPLOIT TCP:10443 
ET DROP Dshield Block Listed Source group 1
medium FORTI_PROBE https:443 
/bf8q2md90z_b
medium FORTI_RECON https:443 
/login
medium K8S_ATTACK HTTP:2379 
etcd version disclosure
MEDIUM PROTO_ABUSE TCP:2379 
SURICATA Applayer Mismatch protocol both directions
medium SCANNER http:8080 
Censys
medium SMTP_PROBE TCP:25 
EHLO www.censys.io