Summary (Bottom Line Up Front)
IP address 85.217.140.40 (France) conducted sustained reconnaissance activities against multiple network services from March 5-12, 2026, generating 150 security events across 7 destination ports. The threat is assessed as MEDIUM risk due to persistent scanning behavior and maximum AbuseIPDB reputation score. Network defenders should implement blocking measures and enhance monitoring for this indicator.
Activity Timeline
INITIAL REPORT2026-03-14T17:52:52Z
Source: batch_hunting
IP address 85.217.140.40 (France) conducted sustained reconnaissance activities against multiple network services from March 5-12, 2026, generating 150 security events across 7 destination ports. The threat is assessed as MEDIUM risk due to persistent scanning behavior and maximum AbuseIPDB reputation score. Network defenders should implement blocking measures and enhance monitoring for this indicator.
Technical details
- Source: 85.217.140.40 (France, ASN unknown, 100/100 AbuseIPDB score)
- Activity Window: March 5, 2026 01:00 - March 12, 2026 04:00 UTC
- Attack Volume: 150 events targeting 7 unique destination ports
- Protocols Observed: HTTP/HTTPS, TCP, TLS (1.0, 1.2+), MQTT over TLS
- Primary TTPs: Network service discovery and reconnaissance (Scanner-Modat pattern)
- MITRE ATT&CK: T1046 (Network Service Scanning) - implied from scanner behavior
- Key IOC: 85.217.140.40
IOCs
IP:85.217.140.40
COUNTRY:FR
Recommendations
- Block IP address 85.217.140.40 at perimeter firewalls and web application firewalls
- Monitor for similar scanning patterns targeting the same 7 destination ports identified in this campaign
- Review logs for any successful connections or authentication attempts from this source IP
- Implement rate limiting on services commonly targeted by reconnaissance activities (HTTP/HTTPS, MQTT)
- Consider threat hunting for additional French IP ranges exhibiting similar scanner behaviors