Summary (Bottom Line Up Front)
Russian IP address 93.90.41.12 conducted sustained SMBv1 protocol negotiation attempts over 10 days, targeting network infrastructure with techniques associated with EternalBlue exploitation vectors. This activity represents HIGH risk reconnaissance likely linked to botnet operations seeking vulnerable SMB services. Immediate SMBv1 disablement and network segmentation review recommended.
Activity Timeline
INITIAL REPORT2026-03-15T09:50:39Z
Source: Analyst Manual Entry
Russian IP address 93.90.41.12 conducted sustained SMBv1 protocol negotiation attempts over 10 days, targeting network infrastructure with techniques associated with EternalBlue exploitation vectors. This activity represents HIGH risk reconnaissance likely linked to botnet operations seeking vulnerable SMB services. Immediate SMBv1 disablement and network segmentation review recommended.
Technical details
- Source: 93.90.41.12 (Russian Federation, AbuseIPDB score 100/100)
- Timeline: March 4-14, 2026 (10-day campaign, 21 total events)
- Protocols: SMBv1 negotiation attempts on port 445
- MITRE Technique: T1190 (Exploit Public-Facing Application)
- Kill Chain Phase: Reconnaissance
- CVE Association: CVE-2017-0144 (EternalBlue)
- Attack Patterns: SMBv1 detection signatures triggered 14 times across 2 unique destination ports
- Assessment: Consistent with automated botnet scanning for vulnerable SMB services
IOCs
IP:93.90.41.12
COUNTRY:RU
Recommendations
- Disable SMBv1 protocol across all Windows systems and network infrastructure immediately
- Implement network segmentation to restrict SMB traffic (ports 445, 139) from internet-facing interfaces
- Deploy enhanced monitoring for SMB protocol anomalies and unauthorized negotiation attempts
- Block traffic from 93.90.41.12 at perimeter firewalls and update threat intelligence feeds
- Conduct vulnerability assessment focusing on SMB service exposure and patch status for EternalBlue-related vulnerabilities