79.124.40.174

Summary (Bottom Line Up Front)

An IP address from Bulgaria (79.124.40.174) has been observed conducting HTTP GET requests to actuator endpoints across multiple systems since March 25, 2026. The activity is assessed as low threat but indicative of scanning behavior targeting potential vulnerabilities. Network defenders should monitor for similar patterns and restrict access to known vulnerable endpoints. ###

HTTP TCP TCP/SYN TLS TLS/1.0 http https https_tls_handshake
SCANNER
Activity Timeline
UPDATE 72026-05-10T18:22:03Z
Source: Analyst Manual Entry
An IP address from Bulgaria (79.124.40.174) has been observed conducting HTTP GET requests to actuator endpoints across multiple systems since March 25, 2026. The activity is assessed as low threat but indicative of scanning behavior targeting potential vulnerabilities. Network defenders should monitor for similar patterns and restrict access to known vulnerable endpoints.
New findings
The IP address has engaged in SCANNER activities with a focus on HTTP GET requests directed at actuator endpoints (port 8080). The attacker used standard protocols such as HTTP, TCP, TLS, and HTTPS. Notable attack patterns include scanning for vulnerable paths and using Suricata rule ID 2031499. No CVEs or zero-day exploits were identified.
Recommendations
  • Monitor network traffic for unusual activity targeting actuator endpoints.
  • Restrict access to known vulnerable endpoints from untrusted sources.
  • Implement strict firewall rules to block unauthorized scanning activities.
  • Educate staff on the importance of securing exposed management interfaces.
  • Regularly update and patch systems to mitigate potential vulnerabilities.
UPDATE 62026-04-15T19:42:28Z
Source: Analyst Manual Entry
IP address 79.124.40.174 conducted sustained reconnaissance scanning against multiple targets from February 27 to April 15, 2026, generating 567 security events targeting web applications and services. The activity is assessed as low-to-medium threat level opportunistic scanning with no evidence of successful exploitation attempts. Network defenders should implement standard web application hardening measures and monitor for similar reconnaissance patterns.
New findings
Attack Profile: Sustained scanning campaign spanning 47 days with consistent reconnaissance behavior targeting web application endpoints. Protocols Observed: HTTP, HTTPS, TCP, TLS 1.0 across 3 unique destination ports including 8080. Attack Vectors: Vulnerability path scanning targeting Spring Boot Actuator endpoints (/actuator/) and Xdebug extension probing. Volume Analysis: 567 total events with medium-severity scanner detections (29 hits) and low-severity path enumeration (26 hits). IOCs: Source IP 79.124.40.174, targeting administrative and debugging interfaces on non-standard ports. Assessment: Reconnaissance phase activity with no observed exploitation attempts or payload delivery.
Recommendations
  • Block or rate-limit traffic from 79.124.40.174 at network perimeter and web application firewalls
  • Disable or restrict access to Spring Boot Actuator endpoints (/actuator/) to authorized management networks only
  • Ensure Xdebug and other debugging extensions are disabled in production environments
  • Implement enhanced logging and alerting for reconnaissance patterns targeting administrative interfaces
  • Review and harden web applications running on non-standard ports (8080, etc.) with proper access controls
UPDATE 52026-04-11T17:50:08Z
Source: Analyst Manual Entry
IP address 79.124.40.174 conducted sustained reconnaissance scanning against web applications from February 27 to April 11, 2026, generating 567 security events targeting multiple protocols including HTTP/HTTPS and attempting Xdebug exploitation. This activity represents a MEDIUM threat level with 85% confidence, indicating potential preparation for remote code execution attacks. Organizations should immediately audit web application configurations and implement enhanced monitoring for similar scanning patterns.
New findings
Attack Profile: External threat actor conducted 43-day reconnaissance campaign targeting web applications across HTTP (port 8080) and HTTPS protocols. Activity classified as SCANNER operations with primary focus on vulnerability path enumeration, including attempts to access Spring Boot Actuator endpoints (/actuator/) and initiate Xdebug sessions for potential remote code execution. MITRE Technique: T1190 (Exploit Public-Facing Application) during Reconnaissance phase. Volume: 567 total events across 3 unique destination ports utilizing HTTP, TCP, TLS protocols. Key IOCs: 79.124.40.174 (source IP), /actuator/ path requests, Xdebug session initiation attempts. Assessment: Medium-severity automated scanning with 5% zero-day probability, consistent with reconnaissance preceding exploitation attempts.
Recommendations
  • Block IP address 79.124.40.174 at network perimeter and monitor for similar scanning patterns from related infrastructure
  • Audit all production web applications to ensure Xdebug is disabled and Spring Boot Actuator endpoints are properly secured or removed
  • Implement enhanced logging and alerting for requests to common vulnerability paths including /actuator/, debug endpoints, and administrative interfaces
  • Deploy web application firewalls (WAF) with rules to detect and block reconnaissance scanning targeting application frameworks
  • Conduct immediate security assessment of public-facing applications, prioritizing PHP applications with potential Xdebug misconfigurations
UPDATE 42026-04-10T07:17:05Z
Source: Analyst Manual Entry
External threat actor at IP 79.124.40.174 conducted sustained reconnaissance against Spring Boot applications, specifically targeting Actuator endpoints to enumerate application routing information and internal network topology. This HIGH confidence threat represents active reconnaissance that could enable follow-on attacks against application infrastructure. Organizations running Spring Boot applications should immediately review Actuator endpoint exposure and implement access controls.
New findings
Attack Vector: HTTP-based reconnaissance targeting Spring Boot Actuator endpoints
Volume: 567 events observed between February 27, 2026 10:00 and April 10, 2026 00:00
Protocols: HTTP, HTTPS, TLS 1.0 across 3 unique destination ports
MITRE Technique: T1190 (Exploit Public-Facing Application)
Kill Chain Phase: Reconnaissance
Primary Target: `/actuator/` endpoint on port 8080
Attack Classification: Vulnerability path scanning with focus on application management interfaces
IOC: 79.124.40.174 (no reverse DNS, non-VPN source)
Recommendations
  • Immediately audit all Spring Boot applications for exposed Actuator endpoints and disable unnecessary management interfaces
  • Implement network-level access controls to restrict Actuator endpoint access to authorized management networks only
  • Enable authentication and authorization for all Actuator endpoints that must remain accessible
  • Deploy application-layer monitoring to detect unauthorized access attempts to management interfaces
  • Review application logs for evidence of successful Actuator endpoint enumeration and assess potential information disclosure
UPDATE 32026-03-23T07:00:09Z
Source: Analyst Manual Entry
External reconnaissance activity from Bulgarian IP 79.124.40.174 has been observed targeting Spring Boot Actuator gateway routes endpoints, likely probing for CVE-2022-22947 vulnerabilities. This HIGH-confidence threat represents active reconnaissance that typically precedes Spring Cloud Gateway exploitation attempts. Organizations running Spring Boot applications should immediately audit and restrict external access to Actuator endpoints.
New findings
Attack Vector: Network scanning campaign targeting vulnerable Spring Boot Actuator paths over HTTP/HTTPS protocols
Volume: 435 events observed between February 27, 2026 10:00 and March 23, 2026 06:00
Kill Chain Phase: Reconnaissance (MITRE T1190 - Exploit Public-Facing Application)
Primary Pattern: Vulnerability path scanning (35 instances of scan_vuln_paths behavior)
Infrastructure: AS50360 (Tamatiya EOOD), Sofia, Bulgaria with open SSH (22) and custom service (3333) ports
Target CVE: CVE-2022-22947 (Spring Cloud Gateway Code Injection)
IOC: 79.124.40.174
Recommendations
  • Immediately audit all Spring Boot applications for exposed Actuator endpoints and restrict external access via firewall rules or application configuration
  • Deploy detection rules for HTTP requests targeting "/actuator/gateway/routes" and similar Spring Boot management endpoints
  • Verify Spring Cloud Gateway versions and apply patches for CVE-2022-22947 if not already implemented
  • Monitor network traffic from Bulgarian ASN AS50360 for additional reconnaissance attempts against web applications
  • Implement network segmentation to isolate Spring Boot applications from direct internet exposure where possible
UPDATE 22026-03-22T08:22:26Z
Source: Analyst Manual Entry
External threat actor from Bulgaria (79.124.40.174) conducted sustained reconnaissance against Spring Boot Actuator endpoints over 23 days, generating 421 security events while attempting to map internal application architecture. Assessed as MEDIUM severity threat with 85% confidence due to information gathering activities that enable follow-on attacks. Immediate blocking and enhanced monitoring of Spring Boot Actuator endpoints recommended.
New findings
  • Source: 79.124.40.174 (AS50360 Tamatiya EOOD, Sofia, Bulgaria) with maximum AbuseIPDB reputation score (100/100)
  • Activity Window: February 27, 2026 10:00 - March 22, 2026 07:00 (23-day campaign)
  • Attack Vector: HTTP/HTTPS scanner targeting Spring Boot Actuator gateway routes endpoint
  • Protocols Observed: HTTP, HTTPS, TLS 1.0, TCP on ports 22 and 3333
  • MITRE Technique: T1190 (Exploit Public-Facing Application)
  • Kill Chain Phase: Reconnaissance
  • Primary Pattern: Vulnerability path scanning (34 high-confidence detections)
  • Threat Assessment: Medium severity, low zero-day probability (5%), unknown threat actor attribution
Recommendations
  • Block source IP 79.124.40.174 at perimeter firewalls and update threat intelligence feeds
  • Audit Spring Boot Actuator endpoint configurations and disable unnecessary management endpoints in production
  • Implement enhanced logging and alerting for Spring Boot Actuator access attempts, particularly /actuator/gateway/routes
  • Review network segmentation to limit exposure of application management interfaces to external networks
  • Conduct security assessment of Spring Boot applications to identify and remediate information disclosure vulnerabilities
UPDATE 12026-03-18T15:10:59Z
Source: Analyst Manual Entry
High-confidence malicious reconnaissance activity targeting Spring Boot Actuator management endpoints has been observed from Bulgarian infrastructure, specifically probing for Spring Cloud Gateway routing configurations that could expose internal network topology. This represents initial access attempts with HIGH threat level assessment and 85% confidence. Immediate blocking and enhanced monitoring of Spring Boot applications is recommended.
New findings
  • Source: 79.124.40.174 (AS50360 Tamatiya EOOD, Sofia, BG) with maximum AbuseIPDB score (100/100)
  • Activity Window: February 27, 2026 10:00 - March 18, 2026 03:00 (378 total events)
  • Attack Vector: Vulnerability scanning targeting /actuator/gateway/routes endpoints (CVE-2022-22947)
  • Protocols: HTTP/HTTPS with TLS 1.0, TCP reconnaissance on ports 22 and 3333
  • MITRE Mapping: T1190 (Exploit Public-Facing Application) - Reconnaissance phase
  • Pattern: 33 instances of vulnerability path scanning behavior
Recommendations
  • Block source IP 79.124.40.174 and monitor for additional activity from AS50360 network range
  • Audit all Spring Boot applications for exposed Actuator endpoints and disable unnecessary management interfaces
  • Implement enhanced logging and alerting for requests to /actuator/* paths across web infrastructure
  • Verify Spring Cloud Gateway installations are patched against CVE-2022-22947 and related Spring vulnerabilities
  • Deploy additional monitoring for reconnaissance patterns targeting application management interfaces
INITIAL REPORT2026-03-14T17:40:25Z
Source: batch_hunting
IP address 79.124.40.174 (Sofia, Bulgaria) conducted sustained vulnerability scanning operations against multiple targets over a 15-day period from February 27 to March 14, 2026. The threat actor demonstrates medium-severity reconnaissance behavior with 318 recorded events targeting web services and SSH infrastructure. Network defenders should implement immediate blocking and enhanced monitoring for this confirmed malicious actor.
Technical details
The threat actor operated from AS50360 (Tamatiya EOOD) infrastructure with a maximum AbuseIPDB reputation score of 100/100, indicating widespread malicious activity. Attack vectors included HTTP/HTTPS reconnaissance on standard and non-standard ports (22, 3333) utilizing multiple protocol versions including legacy TLS 1.0. Primary technique involved systematic vulnerability path scanning (30 confirmed instances) consistent with MITRE ATT&CK T1595.002 (Active Scanning: Vulnerability Scanning). The 15-day operational window suggests either automated tooling or persistent manual reconnaissance efforts. Key IOC: 79.124.40.174 with confirmed scanner classification and medium-severity vulnerability enumeration patterns.
IOCs
IP:79.124.40.174
ASN:50360
COUNTRY:BG
Recommendations
  • Block IP address 79.124.40.174 at perimeter firewalls and web application firewalls immediately
  • Implement enhanced logging and alerting for connections from AS50360 (Tamatiya EOOD) network range
  • Review and harden exposed services on ports 22 and 3333, ensuring latest security patches are applied
  • Deploy rate limiting on web applications to mitigate automated vulnerability scanning attempts
  • Monitor for follow-on exploitation attempts against any services that may have responded to the initial reconnaissance
Threat Assessment
Threat Level HIGH
AI Verdict NOISE
Confidence 95%
Total Events 657
AbuseIPDB 100/100
Indicators of Compromise
ip 79.124.40.174
asn 50360
country BG
Captured Payloads (1)
medium SCANNER HTTP:8080 
/actuator/