Summary (Bottom Line Up Front)
External IP 85.217.140.52 (AS209334 Modat B.V.) conducted sustained reconnaissance activities over 16 days targeting network infrastructure including Kubernetes etcd services and FortiGate devices. Assessed threat level is LOW with medium confidence, representing preliminary information gathering that could precede more sophisticated attacks. Network defenders should verify exposure of critical infrastructure services and implement appropriate access controls.
Activity Timeline
UPDATE 12026-03-23T06:57:46Z
Source: Analyst Manual Entry
External IP 85.217.140.52 (AS209334 Modat B.V.) conducted sustained reconnaissance activities over 16 days targeting network infrastructure including Kubernetes etcd services and FortiGate devices. Assessed threat level is LOW with medium confidence, representing preliminary information gathering that could precede more sophisticated attacks. Network defenders should verify exposure of critical infrastructure services and implement appropriate access controls.
New findings
- Source: 85.217.140.52 (France, AS209334 Modat B.V., AbuseIPDB score 100/100)
- Activity Period: March 6, 2026 14:00 - March 22, 2026 19:00 (208 events)
- Protocols: HTTP/HTTPS, TLS 1.0, MQTT, TCP SYN scanning
- Attack Patterns: FortiGate login page reconnaissance, general network scanning
- MITRE Technique: T1046 (Network Service Scanning)
- Kill Chain Phase: Reconnaissance
- Target Scope: 6 unique destination ports including etcd (2379) and web services
- IOC: 85.217.140.52
Recommendations
- Verify that Kubernetes etcd services (port 2379) are not exposed to the internet and implement proper network segmentation
- Review FortiGate device configurations to ensure management interfaces are restricted to authorized networks only
- Block traffic from 85.217.140.52 at network perimeters and consider blocking the entire AS209334 range if operationally feasible
- Audit all internet-facing services to identify and remediate unnecessary exposure of infrastructure management interfaces
- Implement enhanced monitoring for reconnaissance patterns targeting container orchestration and network security appliances
INITIAL REPORT2026-03-14T17:46:10Z
Source: batch_hunting
French-hosted IP address 85.217.140.52 conducted a week-long reconnaissance campaign from March 6-13, 2026, specifically targeting Fortinet login interfaces alongside broader network scanning activities. The threat level is assessed as MEDIUM due to focused infrastructure reconnaissance without confirmed exploitation attempts. Network defenders should immediately audit Fortinet device exposure and implement enhanced monitoring for reconnaissance activities.
Technical details
- Source: 85.217.140.52 (AS209334 Modat B.V., France) with maximum AbuseIPDB reputation score (100/100)
- Campaign Duration: March 6, 2026 14:00 - March 13, 2026 07:00 (7-day window)
- Attack Volume: 205 events across 4 unique destination ports
- Protocols Observed: HTTP, HTTPS, TCP, TLS 1.0, MQTT
- Primary Techniques: Fortinet login page reconnaissance (FORTI_RECON) and systematic network scanning (SCANNER)
- MITRE ATT&CK Mapping: T1595.002 (Active Scanning: Vulnerability Scanning), T1590 (Gather Victim Network Information)
- Key IOC: 85.217.140.52
IOCs
IP:85.217.140.52
ASN:209334
COUNTRY:FR
Recommendations
- Immediately inventory and restrict external access to Fortinet management interfaces, implementing VPN-only access where possible
- Deploy enhanced logging and alerting for authentication attempts against network infrastructure devices
- Block traffic from 85.217.140.52 and monitor for additional reconnaissance activity from AS209334 Modat B.V.
- Conduct vulnerability assessments on externally-facing Fortinet devices and apply latest security patches
- Implement network segmentation to limit reconnaissance scope and lateral movement opportunities