[nsp-sec] Cisco customers experiencing grief from 212.73.150.63

Dario Ciccarone (dciccaro) dciccaro at cisco.com
Thu Sep 19 14:08:19 EDT 2019 

Folks:

                As the subject says – some of our customers are having a hard time of it thanks to 212.73.150.63. This IP address is connecting to our customers’ ASA devices on port 443/tcp, and triggering CSCvi16029 – which was released as part of a Cisco Security Advisory back in 2018 - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

                We have seen a significant spike in crashes in the last two weeks, and TAC has been able to track those down to connections from this IP address. The vulnerability characteristics are such that we can rule out these crash being triggered “by accident” – we are pretty sure these connections are either attempts to find Cisco ASA devices affected by this vulnerability, OR attempts to exploit a similar vulnerability in someone’s else device. But they’re certainly not benign.

                We have contacted the abuse contact listed in WHOIS ('abuse at vpsag.com') but we have NOT YET received an answer to our contact attempts. I’m hence reaching out to the nsp-sec constituency with two questions :


  1.  Is this netblock, or this SP, in any way known for hosting miscreants ? (and yes, we’re also working w/ TALOS on this)
  2.  Does anyone here have a method to reach out the owner of this netblock, which has been tried before and been successful ? Our request would be for this activity to stop, or at least, being able to talk to whoever is sending these probes to try to make them stop. We have seen before similar behavior when universities or individuals attempt Internet-wide scans for “something”, and that something may end triggering a vulnerability in our devices.

Yes, TAC is indicating customers to deploy ACLs to drop connections from this IP address – that still leaves an unknown number of customers open to exploitation: those that have not crashed but will eventually crash when they get their turn.

Thanks in advance for any help you can provide !

Dario

More information about the nsp-security mailing list