87.121.79.222

Summary (Bottom Line Up Front)

IP address 87.121.79.222 (Netherlands/AS213725) conducted extensive reconnaissance activity from March 30 to April 5, 2026, targeting SSH, VNC, and Kubernetes infrastructure with 1,569 recorded events across 14 unique ports. The campaign demonstrates systematic scanning behavior with particular focus on container orchestration platforms, assessed as MEDIUM threat level with 75% confidence. Organizations should immediately audit exposed Kubernetes APIs and implement enhanced monitoring for reconnaissance activities. ##

BACnet HTTP SSH TCP TCP/SYN VNC auto http https

Activity Timeline

UPDATE 12026-04-05T10:34:07Z

Source: Analyst Manual Entry

New findings

Attack Vector: Multi-protocol reconnaissance campaign spanning SSH (port 22), VNC services, and Kubernetes kubelet read-only API (port 10255)

Volume: 1,569 events over 6-day period (March 30 00:00 - April 5 08:00, 2026)

Protocols: BACnet, HTTP/HTTPS, SSH, TCP, VNC targeting 14 unique destination ports

MITRE Mapping: T1046 (Network Service Scanning) - Reconnaissance phase activity

Key Indicators: Go-http-client user agent targeting port 10255/HTTPS, SSH banner exchanges (42 instances), VNC authentication attempts (21 instances)

Threat Assessment: External reconnaissance likely precursor to container infrastructure exploitation attempts

IOCs: 87.121.79.222 (AbuseIPDB score: 100/100, ASN: AS213725/03AI, Lelystad, NL)

Recommendations

Immediately audit and restrict access to Kubernetes kubelet read-only API (port 10255) - disable if not required or implement proper authentication
Deploy enhanced monitoring for reconnaissance patterns targeting container orchestration platforms, particularly Go-http-client user agents on non-standard ports
Review and harden SSH configurations including fail2ban implementation and key-based authentication enforcement
Implement network segmentation to isolate container infrastructure from external reconnaissance attempts
Block traffic from 87.121.79.222 and monitor for similar scanning patterns from AS213725 address space

INITIAL REPORT2026-04-04T09:24:23Z

Source: Analyst Manual Entry

Threat actor operating from Netherlands-based infrastructure (87.121.79[.]222) conducted sustained multi-protocol reconnaissance targeting SSH, VNC, and web services over 5-day period ending April 4, 2026. Activity assessed as automated scanning with low sophistication but persistent volume (1,379+ events). Organizations should verify VNC exposure and implement enhanced monitoring for credential-based attacks.

Technical details

Source Infrastructure: AS213725 (03AI) hosting provider in Lelystad, Netherlands with maximum AbuseIPDB reputation score indicating established malicious activity. Attack Vector: Multi-protocol scanning campaign targeting 14 unique destination ports with focus on remote access services. Primary Techniques: SSH banner enumeration (35 instances), VNC authentication attempts (18 instances), and HTTP reconnaissance using Go-http-client user agent (19 instances). MITRE Mapping: T1046 (Network Service Scanning) and T1110 (Brute Force) techniques observed. Key IOCs: Source IP 87.121.79[.]222, Go-http-client user agent string, targeting of ports 22/SSH, 5900/VNC, and 10255/HTTPS.

IOCs

IP:87.121.79.222

ASN:213725

COUNTRY:NL

Recommendations

Implement network segmentation to restrict VNC protocol access to authorized management networks only
Deploy fail2ban or equivalent automated blocking for repeated SSH and VNC authentication failures
Monitor for Go-http-client user agent strings in web server logs as potential reconnaissance indicator
Verify VNC services are not unnecessarily exposed to internet-facing networks
Consider blocking AS213725 network ranges if no legitimate business requirements exist for this provider

low SCANNER https:10255

Go-http-client