85.217.140.45

Summary (Bottom Line Up Front)

French IP address 85.217.140.45 conducted sustained reconnaissance against Kubernetes infrastructure over a 9-day period, specifically targeting etcd databases and cluster dashboards using ModatScanner tooling. This represents a MEDIUM threat level with potential Advanced Persistent Threat characteristics, requiring immediate review of Kubernetes exposure and access controls. Organizations should audit their Kubernetes deployments for unauthorized external access and implement enhanced monitoring.

HTTP TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ http https smtp

K8S_ATTACK SCANNER

Activity Timeline

UPDATE 12026-03-18T00:00:51Z

Source: Analyst Manual Entry

New findings

The threat actor conducted 72 attack events between March 7th 21:00 and March 16th 20:00, 2026, utilizing multiple protocols including HTTP/HTTPS, TLS 1.0/1.2+, TCP, and SMTP across 4 unique destination ports. Primary attack vectors focused on Kubernetes dashboard access attempts and etcd port 2379 reconnaissance, mapped to MITRE technique T1595.002 (Active Scanning: Vulnerability Scanning). The source IP maintains a maximum AbuseIPDB reputation score of 100/100, indicating confirmed malicious activity. Attack patterns included K8S_ATTACK/k8s_dashboard_access (4 hits) and SCANNER/Scanner-Modat (3 hits), suggesting automated tooling designed for Kubernetes cluster discovery and enumeration.

Recommendations

Immediately audit all Kubernetes clusters for external exposure, particularly etcd databases on port 2379 and dashboard interfaces
Implement network segmentation to prevent direct internet access to Kubernetes management interfaces and etcd endpoints
Deploy enhanced monitoring for reconnaissance activities targeting container orchestration platforms
Block traffic from 85.217.140.45 at network perimeters and review logs for successful authentication attempts
Conduct vulnerability assessments of Kubernetes deployments focusing on authentication bypass and privilege escalation vectors

INITIAL REPORT2026-03-17T23:33:06Z

Source: Analyst Manual Entry

French IP address 85.217.140.45 conducted sustained reconnaissance against Kubernetes infrastructure over a 9-day period from March 7-16, 2026, targeting etcd databases and cluster dashboards across 72 attack events. This represents a MEDIUM threat level with 85% confidence, indicating potential Advanced Persistent Threat activity focused on container orchestration platforms. Organizations should immediately audit Kubernetes exposure and implement enhanced monitoring for etcd access attempts.

Technical details

Attack Profile: ModatScanner-attributed reconnaissance campaign targeting Kubernetes cluster components, specifically etcd port 2379 and dashboard interfaces. Protocols Observed: HTTP/HTTPS, TLS 1.0/1.2+, TCP SYN scanning, and SMTP communications across 4 unique destination ports. MITRE Mapping: T1595.002 (Active Scanning: Vulnerability Scanning) during reconnaissance phase. Threat Indicators: 100/100 AbuseIPDB reputation score, unknown ASN registration, 72 total events with K8S_ATTACK and SCANNER classifications. Key IOCs: Source IP 85.217.140.45 (France), attack patterns include k8s_dashboard_access and Scanner-Modat signatures.

IOCs

IP:85.217.140.45

COUNTRY:FR

Recommendations

Immediately audit all Kubernetes clusters for public exposure of etcd (port 2379) and dashboard interfaces, ensuring proper network segmentation and access controls
Implement enhanced logging and monitoring for Kubernetes API server access attempts, etcd queries, and dashboard authentication events
Block source IP 85.217.140.45 at network perimeters and correlate against internal logs for any successful connections or data exfiltration
Review and harden Kubernetes RBAC policies, ensuring etcd access is restricted to authorized cluster components only
Deploy container security monitoring solutions capable of detecting reconnaissance activities against orchestration platforms