Summary (Bottom Line Up Front)
IP address 85.217.140.53 conducted a sustained multi-protocol scanning campaign from March 11-28, 2026, targeting Oracle database, SSH, and Kubernetes services across 7 unique ports with 92 total events. Assessment indicates low-sophistication automated reconnaissance activity with minimal immediate threat to properly secured environments. Network defenders should implement standard hardening measures and monitor for follow-on exploitation attempts.
Activity Timeline
UPDATE 32026-03-28T21:49:18Z
Source: Analyst Manual Entry
IP address 85.217.140.53 conducted a sustained multi-protocol scanning campaign from March 11-28, 2026, targeting Oracle database, SSH, and Kubernetes services across 7 unique ports with 92 total events. Assessment indicates low-sophistication automated reconnaissance activity with minimal immediate threat to properly secured environments. Network defenders should implement standard hardening measures and monitor for follow-on exploitation attempts.
New findings
Attack Profile: 17-day scanning campaign utilizing multiple protocols including Oracle TNS, SSH, TLS variants (1.0, 1.2+), and HTTPS targeting infrastructure services. Primary Techniques: Port scanning and service enumeration consistent with MITRE T1046 (Network Service Scanning) during reconnaissance phase. Key Findings: ModatScanner tool identified targeting Kubernetes API servers (port 10250), Oracle database scanning, and SSH banner collection indicating broad infrastructure reconnaissance. Volume: 92 events across 7 destination ports suggesting systematic but unfocused scanning approach. IOCs: Source IP 85.217.140.53, ModatScanner user agent string, targeting of ports 10250/HTTPS, Oracle TNS, and SSH services.
Recommendations
- Implement network segmentation to limit exposure of Oracle databases, SSH services, and Kubernetes API endpoints to untrusted networks
- Deploy rate limiting and connection throttling on exposed services to mitigate automated scanning attempts
- Enable comprehensive logging for Oracle TNS, SSH authentication attempts, and Kubernetes API access for threat hunting
- Review and harden Kubernetes API server configurations, ensuring proper authentication and authorization controls are in place
- Monitor for follow-on exploitation attempts from this IP and associated infrastructure targeting previously scanned services
UPDATE 22026-03-27T08:41:56Z
Source: Analyst Manual Entry
IP address 85.217.140.53 conducted sustained Oracle database scanning activities over a 15-day period from March 11-26, 2026, generating 82 security events across multiple protocols including Oracle, HTTPS, and TLS variants. This activity represents routine reconnaissance behavior with medium threat severity and no identified exploit attempts. Network defenders should implement standard Oracle database hardening measures and monitor for follow-on targeting.
New findings
Attack Profile: Sustained scanning campaign targeting Oracle database infrastructure with secondary HTTPS reconnaissance capabilities. Protocols Observed: Oracle database protocol, TCP/SYN scanning, TLS 1.0/1.2+, HTTPS on port 10250. Attack Volume: 82 events over 15 days targeting 4 unique destination ports. Techniques: Database service enumeration, Kubernetes API server reconnaissance (port 10250), general network scanning. Payload Analysis: ModatScanner tool identified in HTTPS scanning attempts. Attribution: Unknown threat actor, assessed as opportunistic scanning rather than targeted intrusion. IOCs: Source IP 85.217.140.53, ModatScanner user agent string.
Recommendations
- Implement network segmentation to isolate Oracle database servers from internet-facing networks and restrict access to authorized management hosts only
- Configure Oracle database listeners to bind only to necessary interfaces and disable or secure Oracle Enterprise Manager services exposed on default ports
- Deploy monitoring for Oracle TNS (Transparent Network Substrate) connection attempts from external sources and establish baseline connection patterns
- Harden Kubernetes environments by restricting kubelet API access on port 10250 and implementing proper RBAC controls for container orchestration platforms
- Block source IP 85.217.140.53 at network perimeter and monitor for similar scanning patterns targeting database infrastructure
UPDATE 12026-03-23T20:47:12Z
Source: Analyst Manual Entry
IP address 85.217.140.53 originating from France conducted sustained scanning operations against Kubernetes API server ports over a 12-day period from March 11-23, 2026. Despite achieving a maximum AbuseIPDB reputation score of 100/100, the activity demonstrates medium-severity reconnaissance behavior with no confirmed exploitation attempts. Network defenders should implement targeted blocking and enhanced monitoring for Kubernetes infrastructure.
New findings
Attack Vector: Scanner operations targeting port 10250/HTTPS (Kubernetes kubelet API)
Volume: 79 events across 12 days with consistent activity patterns
Protocols: TCP, TLS 1.0/1.2+, HTTPS
Payload Signature: "ModatScanner" user-agent string indicating automated reconnaissance tooling
MITRE ATT&CK Mapping: T1046 (Network Service Scanning), T1595.001 (Active Scanning: Scanning IP Blocks)
Threat Assessment: Medium severity - reconnaissance phase activity with potential for container orchestration targeting
IOCs: 85.217.140.53, ModatScanner signature, sustained port 10250 scanning behavior
Recommendations
- Block IP address 85.217.140.53 at network perimeter and implement geofencing controls for non-essential French IP ranges
- Enhance monitoring and alerting for port 10250 (kubelet API) access attempts, particularly from external sources
- Review Kubernetes cluster security configurations and ensure kubelet API authentication/authorization controls are properly implemented
- Deploy additional network segmentation around container orchestration infrastructure to limit reconnaissance surface area
- Correlate this activity with other ModatScanner signatures in security tooling to identify potential campaign patterns
INITIAL REPORT2026-03-14T17:53:43Z
Source: batch_hunting
IP address 85.217.140.53 originating from France conducted sustained network reconnaissance activities over an 18-hour period from March 11-12, 2026, generating 78 security events targeting multiple HTTPS services. The threat is assessed as MEDIUM severity based on scanning behavior patterns and maximum AbuseIPDB reputation score. Immediate blocking and enhanced monitoring of similar scanning patterns is recommended.
Technical details
The threat actor utilized TCP-based reconnaissance techniques, primarily leveraging TLS/HTTPS protocols (TLS 1.0 and TLS 1.2+) to probe network infrastructure across 2 unique destination ports. Attack classification centers on SCANNER/Scanner-Modat methodology with medium confidence assessment. The 18-hour operational window (07:00 - 01:00 UTC) suggests automated tooling rather than manual reconnaissance. MITRE ATT&CK mapping aligns with T1046 (Network Service Scanning) and T1595.001 (Active Scanning: Scanning IP Blocks). Key IOC: 85.217.140.53 with 100/100 malicious reputation score indicating established threat infrastructure.
IOCs
IP:85.217.140.53
COUNTRY:FR
Recommendations
- Block IP address 85.217.140.53 at perimeter firewalls and web application firewalls immediately
- Implement enhanced logging and alerting for sustained TLS-based scanning activities targeting multiple ports
- Review and harden exposed HTTPS services identified during this reconnaissance activity
- Monitor for similar scanning patterns utilizing TLS 1.0/1.2+ protocols from French IP ranges
- Correlate internal logs for any successful connections or authentication attempts from this source IP during the March 11-12 timeframe