85.217.140.43

Summary (Bottom Line Up Front)

External threat actor 85.217.140.43 conducted sustained reconnaissance against critical infrastructure systems over 36 days, targeting BACnet building automation systems, Kubernetes dashboards, and RDP services across 15 unique ports. This medium-risk activity represents typical pre-attack intelligence gathering that often precedes more serious attacks on industrial control and container orchestration systems. Immediate blocking and enhanced monitoring of targeted services is recommended. ##

BACnet FTP HTTP RDP TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ auto http https smtp
K8S_ATTACK RDP_SCAN SCANNER
Activity Timeline
INITIAL REPORT2026-04-09T10:58:02Z
Source: Analyst Manual Entry
External threat actor 85.217.140.43 conducted sustained reconnaissance against critical infrastructure systems over 36 days, targeting BACnet building automation systems, Kubernetes dashboards, and RDP services across 15 unique ports. This medium-risk activity represents typical pre-attack intelligence gathering that often precedes more serious attacks on industrial control and container orchestration systems. Immediate blocking and enhanced monitoring of targeted services is recommended.
Technical details
Attack Timeline: March 4, 2026 23:00 - April 9, 2026 02:00 (36-day campaign)
Volume: 70 events across multiple protocols (BACnet, HTTP/HTTPS, RDP, FTP, SMTP, TLS)
Primary Techniques: Network service scanning (MITRE T1046) targeting Kubernetes dashboards on port 30000, RDP services via X224 requests, and building automation protocols
Key Indicators: ModatScanner user-agent strings, Kubernetes dashboard access attempts, X224 RDP connection requests
Infrastructure: Unknown ASN with no reverse DNS resolution, non-VPN residential or compromised host
Attack Patterns: K8S_ATTACK (4 hits), RDP_SCAN (1 hit), generic scanning activity (3 hits)
IOCs
IP:85.217.140.43
Recommendations
  • Block source IP 85.217.140.43 at perimeter firewalls and update threat intelligence feeds
  • Implement enhanced monitoring and alerting for BACnet (UDP/47808) and Kubernetes dashboard access attempts
  • Review and restrict external access to container orchestration platforms, particularly on non-standard ports like 30000
  • Conduct security assessment of building automation systems and industrial control networks for unauthorized access
  • Deploy network segmentation between IT/OT environments to limit lateral movement from compromised systems
Threat Assessment
Threat Level HIGH
AI Verdict MEDIUM
Confidence 75%
Total Events 123
Indicators of Compromise
ip 85.217.140.43
Captured Payloads (2)
medium K8S_ATTACK https:30000 
Kubernetes Dashboard access
medium SCANNER HTTP:30000 
ModatScanner