[nsp-sec] Cisco customers experiencing grief from 212.73.150.63

Barry Greene bgreene at senki.org
Thu Sep 19 16:39:14 EDT 2019 

What if we did an ask to selectively Black Hole 212.73.150.63?


> On Sep 19, 2019, at 1:32 PM, Dario Ciccarone (dciccaro) <dciccaro at cisco.com> wrote:
> 
> ----------- nsp-security Confidential --------
> 
> Gerard:
> 
> 	Thanks for getting back to me on this !
> 
> 	And thanks for sharing this information - we appreciate the confirmation this activity cannot be considered "benign" or "well intentioned"
> 
> 	We will continue with our attempts to somehow establish a communication channel with this SP, and hopefully get to the bottom of this.
> 
> 	Thanks again,
> 	Dario
> 
> 
> 
> On 9/19/19, 4:05 PM, "White, Gerard" <gerard.white at bellaliant.ca> wrote:
> 
>    Greetings.
> 
>    Definitely not port scanning, this /32 is doing "selective" hits...  appears to be operating on a specific "list" of targets.   Makes 2 attempts per target using 2 sequential TCP sockets.
> 
>    GW
> 
>    -----Original Message-----
>    From: nsp-security <nsp-security-bounces at puck.nether.net> On Behalf Of Dario Ciccarone (dciccaro)
>    Sent: September-19-19 2:08 PM
>    To: nsp-security at puck.nether.net
>    Subject: [EXT][nsp-sec] Cisco customers experiencing grief from 212.73.150.63
> 
>    ----------- nsp-security Confidential --------
> 
>    Folks:
> 
>                    As the subject says – some of our customers are having a hard time of it thanks to 212.73.150.63. This IP address is connecting to our customers’ ASA devices on port 443/tcp, and triggering CSCvi16029 – which was released as part of a Cisco Security Advisory back in 2018 - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd
> 
>                    We have seen a significant spike in crashes in the last two weeks, and TAC has been able to track those down to connections from this IP address. The vulnerability characteristics are such that we can rule out these crash being triggered “by accident” – we are pretty sure these connections are either attempts to find Cisco ASA devices affected by this vulnerability, OR attempts to exploit a similar vulnerability in someone’s else device. But they’re certainly not benign.
> 
>                    We have contacted the abuse contact listed in WHOIS ('abuse at vpsag.com') but we have NOT YET received an answer to our contact attempts. I’m hence reaching out to the nsp-sec constituency with two questions :
> 
> 
>      1.  Is this netblock, or this SP, in any way known for hosting miscreants ? (and yes, we’re also working w/ TALOS on this)
>      2.  Does anyone here have a method to reach out the owner of this netblock, which has been tried before and been successful ? Our request would be for this activity to stop, or at least, being able to talk to whoever is sending these probes to try to make them stop. We have seen before similar behavior when universities or individuals attempt Internet-wide scans for “something”, and that something may end triggering a vulnerability in our devices.
> 
>    Yes, TAC is indicating customers to deploy ACLs to drop connections from this IP address – that still leaves an unknown number of customers open to exploitation: those that have not crashed but will eventually crash when they get their turn.
> 
>    Thanks in advance for any help you can provide !
> 
>    Dario
> 
> 
> 
> 
>    _______________________________________________
>    nsp-security mailing list
>    nsp-security at puck.nether.net
>    https://puck.nether.net/mailman/listinfo/nsp-security
> 
>    Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
>    _______________________________________________
>    ------------------------------------------------------------------------------
>    External Email: Please use caution when opening links and attachments / Courriel externe: Soyez prudent avec les liens et documents joints
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20190919/e09925f6/attachment.sig>

More information about the nsp-security mailing list