Full Report
Most webhook scanning campaigns run from throwaway VPS instances. This one came from a full Kubernetes cluster with Envoy service mesh. Censys data showed consistent infrastructure across all source IPs—container orchestration, not opportunistic scanning. Between January 27 and February 3, 2026, the GreyNoise Global Observation Grid tracked 33,270 HTTP requests targeting webhook endpoints. The traffic originated almost entirely from AS211590 (Bucklog SARL), a French hosting provider, concentrated in the 185.177.72.0/24 subnet. The campaign probed for vulnerable webhook implementations with a particular interest in file upload paths, document processing endpoints, and—notably—n8n workflow automation platforms via CVE-2026-21858. Campaign snapshot Attribute Value Total sessions 33,270 Time range Jan 27 – Feb 3, 2026 Primary ASN AS211590 (Bucklog SARL) Traffic share 97.4% from single /24 subnet Dominant user agent curl/8.7.1 (97.4%) HTTP method split POST 95.9%, GET 4.1% Peak activity 70% within 2-hour window The Kubernetes twist Censys lookups on the top 10 source IPs returned consistent Kubernetes infrastructure across all nodes: Port Service Present on 10250 Kubelet API 10/10 IPs 10256 kube-proxy health 10/10 IPs 9964 Envoy proxy 10/10 IPs 32362 NodePort 5/10 IPs All nodes run Debian 12 “Bookworm” with OpenSSH 9.2p1. The Envoy proxy presence indicates a service mesh deployment—likely Istio, Linkerd, or Consul Connect. Operational implications: Rapid scalability. Containerized scanning tools deploy and destroy in seconds across 375+ IPs. Cost efficiency. Short-lived containers minimize infrastructure costs. Operational security. Container isolation complicates attribution and forensics. Multi-campaign support. A single cluster can run multiple concurrent scanning operations. The exposed kubelet API on port 10250 is worth noting—if unauthenticated, it enables full node compromise. Whether Bucklog SARL is aware their infrastructure is being used this way remains an open question. Attack methodology Dictionary-based path enumeration with uniform request distribution: 67-69 requests per path across the target set. Automated tooling cycling through a predefined wordlist. Top probed paths: /webhook/upload /webhook/api/file /webhook/backup /webhook/import /webhook/internal/import /webhook/admin/upload /webhook/documents /webhook/blob /webhook/storage Pattern: file upload, document processing, and administrative import functions—paths most likely to accept arbitrary file uploads or expose path traversal vulnerabilities. n8n CVE-2026-21858 targeting Forty sessions used a n8n-scanner/1.0 user agent—a specialized tool for probing n8n workflow automation platforms. The campaign targeted CVE-2026-21858, an arbitrary file access vulnerability in n8n webhook handlers that allows path traversal via malformed multipart/form-data requests. Attack samples showed rapid-fire sequencing (one request per second) against n8n-specific endpoints: /webhook/internal/import /webhook/user/upload /webhook/admin/upload /webhook/admin/import /webhook/bulk /webhook/v1/files The /proc filesystem probing (28,756 tag hits for “Generic /proc Enumeration Attempt”) suggests post-exploitation planning. Successful path traversal would enable access to /proc/self/environ (environment variables), /proc/self/cmdline (command-line arguments), and /proc/net/tcp (network connections)—all useful for credential harvesting and lateral movement. Tooling signatures Consistent tooling fingerprints across 95%+ of traffic: JA4H HTTP fingerprints: Fingerprint Sessions Share po11nn16enus_6291b5733205_... 15,135 45.5% po11nn17enus_4eb89d0aaebb_... 13,631 41.0% Two curl variants account for 86.5% of traffic. The po11 prefix indicates POST requests with 11 header fields—consistent with curl defaults. JA4T TCP fingerprint: The dominant fingerprint appeared in 95.9% of sessions and maps to Linux kernel 4.x+ with default curl TCP stack behavior and standard Ethernet MTU. JA4T 95.9% consistency + curl 97.4% coverage = minimal tooling diversity across the IP range. It’s almost certainly the same actor, using the same infrastructure and same exact tooling. Temporal pattern Activity concentrated in a narrow window on February 3: 13:00–14:00 UTC: 3,496 sessions (70%) 14:00–15:00 UTC: 1,504 sessions (30%) Coordinated infrastructure spinup at 13:00 UTC, peak operations in the first hour, controlled teardown. Ephemeral container deployments minimize operational footprint and cost. Attribution assessment Confidence: Medium Signal Assessment Infrastructure Kubernetes cluster with service mesh (not opportunistic VPS) Tooling Consistent curl + specialized n8n scanner Geographic concentration 100% France, single ASN Temporal coordination 2-hour burst indicates orchestration Three scenarios: Adversary-rented Kubernetes infrastructure (most likely). Threat actor renting Bucklog’s Kubernetes-as-a-Service for scanning operations. The service mesh deployment indicates sophisticated container orchestration. Compromised customer cluster (less likely). A Bucklog customer’s Kubernetes deployment weaponized by attackers. The exposed kubelet API makes this possible, but the professional deployment suggests intentional setup. Bucklog internal operations (highly unlikely). Contradicted by malicious tag classifications and unlikely operational practices. Indicators of compromise Network indicators: Type Values Primary ASN AS211590 (Bucklog SARL) Subnet 185.177.72.0/24 Secondary ASN AS16509 (Amazon AWS) Primary user agent curl/8.7.1 Specialized tool n8n-scanner/1.0 Targeted paths: /webhook/upload, /webhook/api/file, /webhook/import /webhook/admin/upload, /webhook/internal/import /webhook/v1/*, /webhook/v2/* Defensive recommendations Immediate actions: Block AS211590 at the perimeter, specifically 185.177.72.0/24. Audit webhook implementations for path traversal vulnerabilities. Patch n8n installations against CVE-2026-21858. Monitor for n8n-scanner/1.0 user agent. Detection rules: Alert on POST requests to /webhook/* paths exceeding 50 requests/hour from a single source. Flag curl user agents systematically probing file upload endpoints. Monitor for /proc/ filesystem references in HTTP request paths. Webhook hardening: Implement strict input validation on multipart/form-data uploads. Require authentication on administrative webhook endpoints. Rate-limit webhook endpoints per source IP. Isolate webhook handlers with restricted egress. What’s next The reconnaissance phase appears complete. Based on historical attack progression, we expect exploitation attempts within 7–14 days targeting any vulnerable endpoints identified during this sweep. We’re continuing to track AS211590 for emerging campaigns. The Kubernetes infrastructure suggests this operator isn’t going anywhere—the cluster likely supports multiple concurrent scanning efforts beyond webhook targeting. If you’re running n8n in production, now’s the time to audit those webhook configurations. The scanner already knows where to look.
Analysis Summary
# Tool/Technique: Curl (Automated Scanning Tool)
## Overview
Curl is used here as the primary HTTP client by the adversary to perform large-scale, systematic scanning against web service endpoints, specifically targeting webhook functionalities. The consistent use, combined with specific user agent formatting (JA4H fingerprints like `po11nnXX`), indicates an automated, uniform scanning harness deployed within the Kubernetes cluster infrastructure.
## Technical Details
- Type: Attack Tool (Used in the context of reconnaissance/scanning)
- Platform: Linux (Inferred from Debian 12 host OS, used within containers)
- Capabilities: HTTP client capable of sending customized requests (GET/POST), forming the basis for dictionary-based path enumeration.
- First Seen: N/A, but the activity occurred between Jan 27 – Feb 3, 2026.
## MITRE ATT&CK Mapping
- T1595 - Active Scanning
- T1595.002 - Internet Scanning (For finding vulnerable services/endpoints)
## Functionality
### Core Capabilities
- Dictionary-based path enumeration against target webhook paths (e.g., `/webhook/upload`, `/webhook/import`).
- Uniform request distribution across the targeted path set.
- High volume traffic generation (33,270 requests tracked).
### Advanced Features
- High consistency in request structure, evidenced by dominant JA4H fingerprints (`po11nn16enus_...` and `po11nn17enus_...`), suggesting precise control over the `curl` parameters (specifically POST requests with 11 header fields).
- TCP behavior consistent with default Linux kernel 4.x+ stack and standard Ethernet MTU (JA4T fingerprint).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Primary ASN: AS211590 (Bucklog SARL)
- Subnet: 185.177.72.0/24
- Behavioral Indicators:
- Dominant User Agent: `curl/8.7.1` (97.4% share)
- JA4H Fingerprints: `po11nn16enus_6291b5733205_...`, `po11nn17enus_4eb89d0aaebb_...`
- Specific path probing behavior, especially targeting file upload/document processing endpoints.
## Associated Threat Actors
- Unknown threat actor utilizing sophisticated, ephemeral Kubernetes infrastructure.
## Detection Methods
- Signature-based detection: Alerting on the specific user agent `curl/8.7.1` when associated with high-frequency scanning patterns against `/webhook/*` paths.
- Behavioral detection: Alert on POST requests to `/webhook/*` paths exceeding 50 requests/hour from a single source.
- JA4 Fingerprint matching for `po11nnXX` signatures originating from the target subnet.
## Mitigation Strategies
- Rate-limit webhook endpoints per source IP.
- Implement strict input validation on incoming multipart/form-data uploads.
- Require authentication on administrative webhook endpoints.
## Related Tools/Techniques
- Other automated web application scanners that rely on custom HTTP requests.
***
# Tool/Technique: n8n-scanner/1.0
## Overview
A specialized scanning tool explicitly designed to probe workflow automation platforms, specifically n8n, for vulnerabilities. This tool was used to target a known vulnerability, CVE-2026-21858.
## Technical Details
- Type: Attack Tool (Specialized Scanner)
- Platform: N/A (Executed from the attacker's Kubernetes environment)
- Capabilities: Automated exploitation or verification of path traversal vulnerabilities within n8n webhook handlers.
- First Seen: Activity observed between Jan 27 – Feb 3, 2026.
## MITRE ATT&CK Mapping
- T1595 - Active Scanning
- T1595.002 - Internet Scanning
- T1190 - Exploit Public-Facing Application (If utilized to gain initial access, though here it serves primarily as reconnaissance leading to exploitation)
## Functionality
### Core Capabilities
- Targeting n8n-specific endpoints.
- Utilizing malformed `multipart/form-data` requests to trigger path traversal (related to CVE-2026-21858).
- Rapid-fire sequencing (one request per second) against identified n8n paths.
### Advanced Features
- Capability to probe for file system access via HTTP requests, as evidenced by high hits for `/proc` enumeration attempts immediately following scanning, suggesting attempts to harvest credentials or configuration details following successful path traversal.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- User Agent: `n8n-scanner/1.0` (Seen in 40 sessions).
- Targeted Paths: `/webhook/internal/import`, `/webhook/user/upload`, `/webhook/admin/upload`, `/webhook/admin/import`, `/webhook/bulk`, `/webhook/v1/files`.
- Behavioral Indicators:
- Probing for resources under the `/proc` filesystem (e.g., `/proc/self/environ`, `/proc/self/cmdline`).
## Associated Threat Actors
- Unknown threat actor focusing on workflow automation platforms.
## Detection Methods
- Signature-based detection: Monitoring for the specific user agent string `n8n-scanner/1.0`.
- Behavioral detection: Alerting on sequential requests to n8n-specific webhook paths followed by anomalous references to system file paths in request parameters or response bodies (if observable).
## Mitigation Strategies
- Immediately patch n8n installations against CVE-2026-21858.
- Review and restrict the functionality of webhook handlers, especially those accepting `multipart/form-data`.
## Related Tools/Techniques
- General configuration scanners; vulnerability scanners customized for specific application versions.
***
# Technique: Kubernetes/Container Orchestration for Scanning Operations
## Overview
The use of a full Kubernetes cluster managed via an Envoy service mesh, rather than typical disposable Virtual Private Servers (VPS), demonstrates a highly scalable, resilient, and professional approach to reconnaissance operations.
## Technical Details
- Type: Technique (Infrastructure/Operational Methodology)
- Platform: Kubernetes Environment (running on Debian 12 hosts)
- Capabilities: Rapid deployment, scaling (evidenced by activity across 375+ IPs), cost-efficient use of ephemeral resources, and operational security through container isolation.
## MITRE ATT&CK Mapping
- T1078 - Valid Accounts (Indirectly related if the K8s cluster was rented/compromised)
- T1046 - Network Service Scanning (Executed via the containerized tools)
- T1564.003 - Virtualization/Emulation (Containerization/Orchestration)
## Functionality
### Core Capabilities
- Rapid scalability of scanning tools deployed within ephemeral containers.
- Infrastructure consistency across source IPs (presence of Kubelet 10250, kube-proxy 10256, Envoy 9964).
- Traffic concentration originating from a single French hosting provider (AS211590), suggesting rented infrastructure-as-a-service.
### Advanced Features
- Deployment via a Service Mesh (Envoy implies Istio, Linkerd, or Consul Connect), enabling complex traffic management and potentially obfuscation.
- Exposure of critical infrastructure components (e.g., unauthenticated Kubelet API on port 10250), indicating either intentional operational risk or a lapse in cluster hardening.
## Indicators of Compromise
- Network Indicators: Consistent presence of K8s/Service Mesh ports (10250, 10256, 9964) in external network traffic captures from the source IPs.
- Behavioral Indicators: Extremely coordinated temporal activity (70% of traffic in a 2-hour window) coupled with infrastructure consistency, indicating orchestrated deployment/teardown.
## Associated Threat Actors
- Sophisticated actors capable of deploying and managing container orchestration platforms for malicious purposes.
## Detection Methods
- Infrastructure monitoring: CENSUS/Shodan/GreyNoise alerts on large subnets exhibiting consistent container orchestration services (especially Kubelet).
- Network flow analysis showing traffic originating from a constrained /24 subnet exhibiting machine-like uniformity (JA4T/JA4H).
## Mitigation Strategies
- Geographic filtering/blocking of known malicious ASNs or subnets, if appropriate for organizational risk tolerance (Immediate action: Block 185.177.72.0/24).
- Ensure Kubelet APIs (Port 10250) are never exposed externally or are strictly authenticated.
- Harden ingress/egress controls for all containerized web services.
## Related Tools/Techniques
- Infrastructure-as-Code deployment (used to provision the cluster quickly).
- Techniques leveraging cloud provider resources for anonymity.
***
# Technique: Exploitation of CVE-2026-21858 (n8n Path Traversal)
## Overview
This technique focuses on exploiting a specific, likely recent, arbitrary file access vulnerability (CVE-2026-21858) in n8n workflow automation platforms, achieved via improperly handled `multipart/form-data` requests leading to path traversal.
## Technical Details
- Type: Technique (Vulnerability Exploitation/Reconnaissance)
- Platform: n8n Workflow Automation Platform
- Capabilities: Allows the attacker to read arbitrary files on the host system where n8n is running.
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1190.002 - Exploit Application Vulnerability
## Functionality
### Core Capabilities
- Path traversal initiated through specially crafted HTTP requests targeting n8n handlers.
- Goal is identifying sensitive data via known paths (e.g., accessing environmental variables, network configuration).
### Advanced Features
- The follow-up probing of the `/proc` filesystem strongly validates the success of the path traversal technique, linking the initial vulnerability finding to post-exploitation steps like credential harvesting (`/proc/self/environ`).
## Indicators of Compromise
- Behavioral Indicators: Successful probing of `/proc/self/environ`, `/proc/self/cmdline`, or `/proc/net/tcp` accessed via webhook request paths or parameter injection.
## Associated Threat Actors
- Actors specifically targeting workflow and integration automation tools like n8n.
## Detection Methods
- Application Logging: Monitor n8n application logs for repeated, malformed `multipart/form-data` payloads targeting file upload/import endpoints.
- File Access Monitoring: Alert on any attempts by the n8n process to access files under `/proc/` unless those accesses are normal operational events documented in the application's baseline.
## Mitigation Strategies
- Patching n8n to resolve CVE-2026-21858 is paramount.
- Implement file list validation and strict path sanitization for all file upload functionality, rejecting requests containing directory traversal sequences (`..`, `%2e%2e/`, etc.).
## Related Tools/Techniques
- General path traversal exploitation techniques.