Summary (Bottom Line Up Front)
IP address 85.217.140.15 (France) conducted sustained reconnaissance targeting FortiGate infrastructure over a 10-day period from March 3-13, 2026, generating 103 security events with maximum abuse scoring. The threat level is assessed as MEDIUM with potential for escalation to active exploitation attempts. Network defenders should immediately review FortiGate exposure and implement enhanced monitoring.
Activity Timeline
UPDATE 12026-03-21T15:12:49Z
Source: Analyst Manual Entry
IP address 85.217.140.15 (France) conducted sustained reconnaissance targeting FortiGate infrastructure over a 10-day period from March 3-13, 2026, generating 103 security events with maximum abuse scoring. The threat level is assessed as MEDIUM with potential for escalation to active exploitation attempts. Network defenders should immediately review FortiGate exposure and implement enhanced monitoring.
New findings
- Source: 85.217.140.15 (France, ASN unknown, 100/100 AbuseIPDB score)
- Campaign Duration: March 3, 2026 07:00 - March 13, 2026 23:00 (10 days)
- Attack Volume: 103 events across 4 unique destination ports
- Protocols Observed: TCP, TLS 1.0/1.2+, HTTPS, MQTT over TLS
- Primary TTPs: FortiGate login page reconnaissance (FORTI_RECON)
- MITRE ATT&CK: T1590.001 (Gather Victim Network Information: Domain Properties)
- IOCs: 85.217.140.15
Recommendations
- Immediately block IP 85.217.140.15 at perimeter firewalls and security appliances
- Audit all FortiGate devices for unnecessary internet exposure and implement access restrictions
- Enable enhanced logging on FortiGate management interfaces and monitor for suspicious authentication attempts
- Review and strengthen FortiGate administrative credentials, implementing multi-factor authentication where possible
- Deploy network segmentation to isolate management interfaces from untrusted networks
INITIAL REPORT2026-03-14T17:40:49Z
Source: batch_hunting
IP address 85.217.140.15 (France) conducted reconnaissance activities targeting Fortinet login pages over a 10-day period from March 3-13, 2026. This activity represents a medium threat level focused on initial access discovery rather than active exploitation. Network defenders should implement enhanced monitoring for Fortinet infrastructure and consider blocking this IP address.
Technical details
- Source: 85.217.140.15 (France, AbuseIPDB score: 100/100)
- Activity Period: March 3, 2026 06:00 - March 13, 2026 23:00 UTC
- Volume: 103 events across 4 unique destination ports
- Protocols: TCP, TLS (1.0, 1.2+), HTTPS, MQTTS TLS handshake
- Attack Pattern: FORTI_RECON targeting Fortinet login interfaces
- MITRE Mapping: T1595 (Active Scanning) - reconnaissance phase
- IOC: 85.217.140.15
IOCs
IP:85.217.140.15
COUNTRY:FR
Recommendations
- Block IP address 85.217.140.15 at perimeter firewalls and web application firewalls
- Implement enhanced logging and alerting for Fortinet device login attempts from external sources
- Review and restrict administrative access to Fortinet infrastructure to authorized IP ranges only
- Monitor for follow-on credential stuffing or brute force attempts against identified Fortinet login pages
- Conduct security assessment of exposed Fortinet management interfaces to ensure proper hardening