Summary (Bottom Line Up Front)
IP address 85.11.183.19 conducted sustained reconnaissance activities over 50 days (February 28 - April 19, 2026) with 151 events targeting multiple protocols including HTTPS, TLS, and SMTP across 7 unique ports. Despite low individual event severity, the persistent nature and focus on Fortigate infrastructure reconnaissance elevates the overall threat assessment to HIGH. Network defenders should implement enhanced monitoring for this IP and review exposure of management interfaces. ##
Activity Timeline
UPDATE 22026-04-19T08:31:50Z
Source: Analyst Manual Entry
IP address 85.11.183.19 conducted sustained reconnaissance activities over 50 days (February 28 - April 19, 2026) with 151 events targeting multiple protocols including HTTPS, TLS, and SMTP across 7 unique ports. Despite low individual event severity, the persistent nature and focus on Fortigate infrastructure reconnaissance elevates the overall threat assessment to HIGH. Network defenders should implement enhanced monitoring for this IP and review exposure of management interfaces.
New findings
Attack Vector: Multi-protocol reconnaissance campaign spanning HTTP, HTTPS, TLS 1.0/1.3, SMTP, and TCP SYN scanning
Primary Techniques: FORTI_RECON targeting Fortigate login pages, MQTT_ATTACK with HTTP headers to MQTT ports
MITRE Mapping: T1040 (Network Sniffing) during Reconnaissance phase
Key Indicators: Modern TLS 1.3 Client Hello handshakes to uncommon port 9001, HTTP requests with Chrome user-agent to port 8443
Attack Patterns: 9 hits on Fortigate login page reconnaissance, 10 hits on MQTT service probing
IOC: 85.11.183.19 (no reverse DNS, unknown ASN)
Recommendations
- Block IP address 85.11.183.19 at perimeter firewalls and update threat intelligence feeds
- Review and restrict access to management interfaces on ports 8443, 9001, and other non-standard HTTPS ports
- Implement enhanced logging and alerting for Fortigate administrative interface access attempts
- Conduct security assessment of MQTT services and ensure proper authentication/authorization controls
- Monitor for additional reconnaissance activity targeting similar infrastructure components and management interfaces
UPDATE 12026-03-21T15:16:19Z
Source: Analyst Manual Entry
IP address 85.11.183.19 (SOFCOMPANY Ltd, London) conducted reconnaissance against Fortigate infrastructure over a 21-day period, generating 79 events targeting login interfaces via HTTPS. This represents medium-severity threat activity consistent with initial target identification preceding potential exploitation attempts. Network defenders should implement enhanced monitoring for Fortigate devices and consider blocking this IP address.
New findings
The attacker operated from 85.11.183.19 (AS201002 SOFCOMPANY Ltd, London) between February 28, 2026 10:00 and March 21, 2026 13:00, generating 79 reconnaissance events. Primary activity involved HTTPS-based probing of Fortigate login pages, utilizing protocols including HTTP, TCP, TLS 1.0, and SMTP across 6 unique destination ports. Attack patterns align with MITRE technique T1590.001 (Gather Victim Network Information: Domain Properties) during the reconnaissance phase of the cyber kill chain. The source IP maintains a maximum AbuseIPDB reputation score of 100/100, indicating established malicious activity. No CVE exploitation or zero-day activity was observed during this campaign.
Recommendations
- Block IP address 85.11.183.19 at network perimeter and consider blocking the entire AS201002 SOFCOMPANY Ltd netblock
- Implement enhanced logging and monitoring for all Fortigate device login attempts, particularly HTTPS-based authentication events
- Review and strengthen Fortigate device configurations including multi-factor authentication, account lockout policies, and access control lists
- Deploy network segmentation to isolate Fortigate management interfaces from internet-accessible networks where operationally feasible
- Establish baseline monitoring for reconnaissance patterns targeting network infrastructure devices to enable early threat detection
INITIAL REPORT2026-03-14T17:47:46Z
Source: batch_hunting
IP address 85.11.183.19 (SOFCOMPANY Ltd, London) conducted reconnaissance activities targeting Fortinet infrastructure between February 28 and March 13, 2026. The threat is assessed as MEDIUM severity based on limited attack scope and reconnaissance-only behavior. Network defenders should implement targeted monitoring and access controls for Fortinet devices.
Technical details
The attacker conducted 61 events over a 13-day period, exclusively targeting Fortinet login pages through FORTI_RECON techniques. Traffic analysis revealed multiple protocols including HTTP, HTTPS, TLS 1.0, TCP SYN scanning, and SMTP communications across 6 unique destination ports. The source system appears to be a Linux-based host with SSH (port 22) exposed and maintains a maximum AbuseIPDB reputation score of 100/100. No advanced persistent threat indicators or MITRE ATT&CK techniques were observed, suggesting early-stage reconnaissance rather than active exploitation attempts.
IOCs
IP:85.11.183.19
ASN:201002
COUNTRY:GB
Recommendations
- Block IP address 85.11.183.19 at perimeter firewalls and update threat intelligence feeds
- Review and harden authentication mechanisms on all Fortinet devices, particularly login page access controls
- Implement enhanced monitoring for reconnaissance patterns targeting network infrastructure management interfaces
- Conduct security assessment of exposed Fortinet devices to ensure latest patches and secure configurations
- Consider geoblocking or additional authentication requirements for administrative access from non-business locations