85.217.140.9

Summary (Bottom Line Up Front)

French-hosted IP address 85.217.140.9 conducted a sustained 7-day campaign targeting Kubernetes dashboards and FortiGate infrastructure with 148 attack events between March 4-11, 2026. Assessment indicates HIGH threat level based on maximum AbuseIPDB score and active exploitation attempts against critical network infrastructure. Immediate blocking and enhanced monitoring of Kubernetes and FortiGate assets recommended.

TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ https

K8S_ATTACK FORTI_RECON

Activity Timeline

INITIAL REPORT2026-03-14T17:54:31Z

Source: batch_hunting

Technical details

Attack Profile: Sustained campaign utilizing HTTPS/TLS protocols (versions 1.0 and 1.2+) across 4 unique destination ports. Primary techniques include unauthorized Kubernetes dashboard access attempts and FortiGate login page reconnaissance. Attack volume peaked at 148 events over 168-hour period, indicating persistent automated tooling.

MITRE ATT&CK Mappings: T1190 (Exploit Public-Facing Application), T1595.002 (Active Scanning: Vulnerability Scanning)

Key IOCs:

Source IP: 85.217.140.9
ASN: AS209334 (Modat B.V.)
Attack timeframe: March 4, 2026 21:00 - March 11, 2026 21:00
Protocols: TCP, TLS 1.0/1.2+, HTTPS

IOCs

IP:85.217.140.9

ASN:209334

COUNTRY:FR

Recommendations

Block 85.217.140.9 and monitor AS209334 (Modat B.V.) for additional malicious activity
Implement enhanced authentication controls on Kubernetes dashboards and restrict public exposure
Review FortiGate device configurations and ensure latest security patches are applied
Deploy additional monitoring for unauthorized access attempts on container orchestration platforms
Conduct security assessment of internet-facing infrastructure management interfaces