[nsp-sec] Cisco customers experiencing grief from 212.73.150.63

Rabbi Rob Thomas robt at cymru.com
Thu Sep 19 16:49:58 EDT 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Dario,

I agree with Gerard, our sensors show the same.  I'm waiting for
another query to complete, but initial results for the past 24-ish
hours show it visiting DE, BH, ES, FR, IN, SA, and BG.  Very few of
those visits were to non-responsive targets.

It's an odd one in that this TCP 443 activity is all we see it doing.
 It isn't being used as a proxy, visiting other sites on other ports,
etc.  Again, that's for the past 24-ish hours.

Possibly more to come!

Be well,
Rob.


On 9/19/19 4:04 PM, White, Gerard wrote:
> ----------- nsp-security Confidential --------
> 
> Greetings.
> 
> Definitely not port scanning, this /32 is doing "selective" hits...
> appears to be operating on a specific "list" of targets.   Makes 2
> attempts per target using 2 sequential TCP sockets.
> 
> GW
> 
> -----Original Message----- From: nsp-security
> <nsp-security-bounces at puck.nether.net> On Behalf Of Dario Ciccarone
> (dciccaro) Sent: September-19-19 2:08 PM To:
> nsp-security at puck.nether.net Subject: [EXT][nsp-sec] Cisco
> customers experiencing grief from 212.73.150.63
> 
> ----------- nsp-security Confidential --------
> 
> Folks:
> 
> As the subject says – some of our customers are having a hard time
> of it thanks to 212.73.150.63. This IP address is connecting to our
> customers’ ASA devices on port 443/tcp, and triggering CSCvi16029 –
> which was released as part of a Cisco Security Advisory back in
> 2018 -
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20180606-asaftd
>
>  We have seen a significant spike in crashes in the last two weeks,
> and TAC has been able to track those down to connections from this
> IP address. The vulnerability characteristics are such that we can
> rule out these crash being triggered “by accident” – we are pretty
> sure these connections are either attempts to find Cisco ASA
> devices affected by this vulnerability, OR attempts to exploit a
> similar vulnerability in someone’s else device. But they’re
> certainly not benign.
> 
> We have contacted the abuse contact listed in WHOIS
> ('abuse at vpsag.com') but we have NOT YET received an answer to our
> contact attempts. I’m hence reaching out to the nsp-sec
> constituency with two questions :
> 
> 
> 1.  Is this netblock, or this SP, in any way known for hosting
> miscreants ? (and yes, we’re also working w/ TALOS on this) 2.
> Does anyone here have a method to reach out the owner of this
> netblock, which has been tried before and been successful ? Our
> request would be for this activity to stop, or at least, being able
> to talk to whoever is sending these probes to try to make them
> stop. We have seen before similar behavior when universities or
> individuals attempt Internet-wide scans for “something”, and that
> something may end triggering a vulnerability in our devices.
> 
> Yes, TAC is indicating customers to deploy ACLs to drop connections
> from this IP address – that still leaves an unknown number of
> customers open to exploitation: those that have not crashed but
> will eventually crash when they get their turn.
> 
> Thanks in advance for any help you can provide !
> 
> Dario
> 
> 
> 
> 
> _______________________________________________ nsp-security
> mailing list nsp-security at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for effective
> Internet security counter-measures. 
> _______________________________________________ 
> ----------------------------------------------------------------------
- --------
>
> 
External Email: Please use caution when opening links and attachments /
Courriel externe: Soyez prudent avec les liens et documents joints
> 
> 
> _______________________________________________ nsp-security
> mailing list nsp-security at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for effective
> Internet security counter-measures. 
> _______________________________________________
> 

- -- 
Rabbi Rob Thomas                                           Team Cymru
   "It is easy to believe in freedom of speech for those with whom we
    agree." - Leo McKern
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl2D6fMACgkQQ+hhYvqF
8o3xrA/+J/iFvjaHisuwE+UBiMU6NYiKHP+iTk8aetP8B9j6umii1HuPz5TXvdNe
82CiSAPZlauODcLf2P9ZvL4xQE5sQtX0klVupVifVtiYoSsqRW5T1YthFB0Jt6tF
9Zxb/zyAAoRLCinYtMyrMaC/hrl3L4JtA3Ns3N1LLl7sx/8yEUZHan15JQrvAcoH
ncRdUL/xfh1sshN5UTWjfXVCQRXqM7SI44dXXerQgjrJPa4juReFwOS0nrcRTITU
t8/4BTH7BEBDF9CFJjXzbuXXiHBBZiPvMrk+6TKIV3BxVymKlrNWLlv47VZw+8lw
Ga+vZLdJMHxQpr60P3jHp0xIK8hRqnGKZAvZoDyzDL8EzO5vhXVMDaNNNGOc7GZD
vyeMQ8CdGrzUERs/xRkQe/owSAotOgJ6RF/z6vtYdB3WUzkQ7CCcDWwEwjdVd3He
Ny+m6hsZ4WJw13n/UKzgue0BWTItWBut8pJbxNpjMAyyrtsif/1lclfisDZdqu8U
bcWbrN34a2jB4EbcVSLB4yeziuuwOfPv7ahW9fYl+tewbjcPiyiLslcRbp1fkEVU
ZEk+JcI5NEhp8GdLl0GHt4plOvAsPFXuRaZjKvC5L9FCF5sBeMjkjTxUuJpm1joK
/L6HfAQgH6DljUfx/B6VcSxSfa1vo6srYIWgioq46teKke0ygJI=
=d5TU
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list