8.148.22.190

Summary (Bottom Line Up Front)

A Chinese-hosted threat actor (8.148.22.190) conducted intensive multi-protocol reconnaissance targeting enterprise services including Oracle TNS, SMB, and web applications during a concentrated 2-minute window on March 2nd, 2026. The attacker demonstrates sophisticated capabilities with 13 exposed services and achieves maximum abuse scoring, indicating high threat potential. Immediate blocking and enhanced monitoring of Oracle databases, SMB shares, and web applications is recommended.

HTTP Java-RMI MQTT Modbus RDP Redis SMB TCP TCP/SYN TLS Telnet

ORACLE_TNS SCANNER SMB

Activity Timeline

UPDATE 12026-03-17T06:39:38Z

Source: Analyst Manual Entry

New findings

The threat actor originated from Aliyun Computing infrastructure in Hangzhou, China, generating 409 attack events between 22:00-23:00 hours. Attack vectors included Oracle TNS version enumeration, vulnerability path scanning, and legacy SMB protocol exploitation attempts. The attacker's infrastructure exposes 13 services (ports 22, 80, 443, 1883, 3306, 4369, 8077-8079, 8083, 8177, 8883, 18083) suggesting a multi-purpose attack platform. Protocols observed include HTTP/HTTPS, Java-RMI, MQTT, Modbus, RDP, Redis, SMB, and Telnet, indicating broad targeting capabilities across enterprise and IoT environments. AbuseIPDB scoring of 100/100 confirms active malicious use of this infrastructure.

Recommendations

Block IP 8.148.22.190 and monitor for additional Aliyun Computing (AS37963) infrastructure conducting similar reconnaissance patterns
Implement enhanced logging and monitoring for Oracle TNS listeners, particularly version enumeration attempts and unauthorized connection requests
Disable SMBv1 protocol across all Windows systems and implement SMB signing to prevent exploitation of legacy vulnerabilities
Deploy web application firewalls with updated rulesets to detect and block vulnerability scanning patterns targeting common application paths
Review and harden exposed services on ports 1883 (MQTT), 3306 (MySQL), and Redis instances against unauthorized access attempts

INITIAL REPORT2026-03-15T09:01:33Z

Source: Analyst Manual Entry

A Chinese-hosted IP address (8.148.22.190) conducted intensive multi-protocol reconnaissance targeting Oracle TNS, SMB, and web services during a concentrated 2-minute window on March 2, 2026. The threat actor demonstrates sophisticated scanning capabilities across 11 different protocols with 409 total events, indicating automated tooling for enterprise network enumeration. Immediate blocking and enhanced monitoring of similar scanning patterns is recommended.

Technical details

Source: 8.148.22.190 (Aliyun Computing/AS37963, Hangzhou, CN)
Activity Window: March 2, 2026, 22:00-23:00 UTC (2-minute burst)
Attack Volume: 409 events across 11 protocols (HTTP, Java-RMI, MQTT, Modbus, RDP, Redis, SMB, TCP, TLS, Telnet)
Primary Techniques: Oracle TNS version enumeration, vulnerability path scanning, SMB v1 exploitation attempts
Infrastructure Profile: 14 open ports including database (3306), MQTT (1883, 8883), and management interfaces (8077-8083)
Threat Indicators: 100/100 AbuseIPDB score, no reverse DNS, concentrated attack timeframe suggesting automated scanning tools

IOCs

IP:8.148.22.190

ASN:37963

COUNTRY:CN

Recommendations

Block 8.148.22.190 and monitor for similar scanning patterns from AS37963 (Aliyun Computing) infrastructure
Implement enhanced logging for Oracle TNS, SMB v1, and multi-protocol scanning attempts within short timeframes
Review and harden exposed database services (port 3306) and MQTT implementations against enumeration attacks
Deploy network segmentation controls to limit lateral movement potential from compromised endpoints
Establish alerting for burst scanning activity (>100 events per minute) targeting multiple protocols simultaneously