66.132.172.198

Summary (Bottom Line Up Front)

IP address 66.132.172.198 conducted a 24-day reconnaissance and exploitation campaign from March 24 to April 17, 2026, targeting industrial control systems (S7comm), SMB services, and network infrastructure across multiple protocols. The threat is assessed as LOW severity with 85% confidence, representing routine automated scanning that has escalated to include SMB exploitation attempts. Organizations should implement perimeter blocking and monitor for similar multi-protocol scanning patterns. ##

MQTT S7COMM S7comm SMB TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ auto http https
SCANNER EXPLOIT FORTI_RECON ICS_ATTACK
Activity Timeline
INITIAL REPORT2026-04-17T12:38:11Z
Source: Analyst Manual Entry
IP address 66.132.172.198 conducted a 24-day reconnaissance and exploitation campaign from March 24 to April 17, 2026, targeting industrial control systems (S7comm), SMB services, and network infrastructure across multiple protocols. The threat is assessed as LOW severity with 85% confidence, representing routine automated scanning that has escalated to include SMB exploitation attempts. Organizations should implement perimeter blocking and monitor for similar multi-protocol scanning patterns.
Technical details
The attacker generated 62 security events across 9 unique destination ports, employing protocols including MQTT, S7COMM, SMB, TLS, HTTP/HTTPS, and TCP reconnaissance. Primary attack vectors included SMB vulnerability exploitation (T1595.002 - Active Scanning: Vulnerability Scanning) and industrial control system probing via S7comm protocol. Notable attack patterns included Censys scanning infrastructure, SMBv1 exploitation attempts, and FortiGate device reconnaissance. The campaign demonstrated behavioral evolution from passive reconnaissance to active exploitation, particularly targeting SMB services and industrial control protocols. Key indicators include connections to port 47808/TCP triggering DShield blocklist alerts and HTTPS reconnaissance on port 10250 using CensysInspect user agents.
IOCs
IP:66.132.172.198
Recommendations
  • Block IP address 66.132.172.198 at network perimeters and update threat intelligence feeds with this indicator
  • Implement enhanced monitoring for multi-protocol scanning patterns, particularly combinations of SMB, S7comm, and MQTT reconnaissance
  • Disable SMBv1 protocol across all network segments and ensure SMB signing is enforced on remaining SMB services
  • Segment industrial control system networks and restrict S7comm protocol access to authorized management systems only
  • Deploy detection rules for CensysInspect user agents and other automated scanning tools targeting ports 10250 and 47808
Threat Assessment
Threat Level HIGH
AI Verdict LOW
Confidence 85%
Total Events 206
Indicators of Compromise
ip 66.132.172.198
Captured Payloads (2)
HIGH EXPLOIT TCP:47808 
ET DROP Dshield Block Listed Source group 1
low SCANNER https:10250 
CensysInspect