85.217.140.4

Summary (Bottom Line Up Front)

High-confidence reconnaissance activity targeting Kubernetes kubelet API infrastructure detected from French-hosted IP 85.217.140.4 between February 28 and March 20, 2026. This scanning represents initial discovery phase activity against container orchestration platforms with HIGH threat assessment. Immediate verification of kubelet API authentication controls and network segmentation is recommended.

HTTP TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ https mqtt

SCANNER

Activity Timeline

INITIAL REPORT2026-03-21T12:50:45Z

Source: Analyst Manual Entry

Technical details

External IP 85.217.140.4 (AS209334 Modat B.V., France) conducted 68 reconnaissance events over 20-day period targeting port 10250 and additional container-related services. Attack employed multiple protocols including HTTP, HTTPS, TLS variants, and MQTT, consistent with comprehensive service enumeration. Activity maps to MITRE T1046 (Network Service Scanning) within reconnaissance kill chain phase. Source exhibits maximum AbuseIPDB reputation score (100/100) indicating established malicious infrastructure. Scanning targeted 5 unique destination ports associated with Kubernetes and container management interfaces.

IOCs

IP:85.217.140.4

ASN:209334

COUNTRY:FR

Recommendations

Block IP 85.217.140.4 and monitor for additional reconnaissance from AS209334 Modat B.V. infrastructure
Audit kubelet API configurations to ensure authentication is enabled and anonymous access is disabled
Implement network segmentation to restrict external access to Kubernetes management ports (10250, 10255, 8080)
Deploy enhanced monitoring for reconnaissance patterns targeting container orchestration platforms
Review firewall rules to ensure Kubernetes API servers are not exposed to untrusted networks