[nsp-sec] Cisco customers experiencing grief from 212.73.150.63
Dario Ciccarone (dciccaro)
dciccaro at cisco.com
Thu Sep 19 23:24:26 EDT 2019
Thanks much, Krista ! What kind of classification are you applying to this data ? As I told Rob, we're working with many other teams @ Cisco - and while it would certainly be helpful being able to share this data, I would certainly abide by whichever classification you set on it.
And yeah, thanks also to other data we've collected, we see a lot of funny hostnames within that /24 . . . none of them seem to be up to anything good.
Thanks,
Dario
On 9/19/19, 8:39 PM, "nsp-security on behalf of Krista" <nsp-security-bounces at puck.nether.net on behalf of krista at people.ops-trust.net> wrote:
----------- nsp-security Confidential --------
I see it in AS852 but only hitting one host which does appear to be an
ASA, this occurred 09/06/19 06:30:55 UTC.
I inadvertently queried the entire suspect /24 instead of /32 at first and
there's other 'interesting' traffic from 212.73.150.0/24 targeting a
variety of things but inordinate amount of data center looking dst hosts
and not necessarily just 443/tcp so I'd encourage others to expand your
query.
Otherwise that /24 and org (Redcluster LTD) in general appears highly
suspect, lots more but a few examples,
212.73.150.247 lnstagramm.com
185.141.61.109 airlinepointsexpress.com
185.141.61.254 instagramspy.info
185.141.61.106 invoice.name
94.156.144.138 recover-account.com
Lastly, their terms (www.vpsag.com/terms.php) very explicitly state this
activity would not be tolerated so I agree reaching out is the nice thing
to do but my spidey sense is tingling.
Krista
AS852
> ----------- nsp-security Confidential --------
>
> Long short, has anyone tried the abuse contact in whois to see if they can
> take a look at the machine?
>
>> % Abuse contact for '212.73.150.0 - 212.73.150.255' is 'abuse at vpsag.com'
>
> --tim
>
> On 19 Sep 2019, at 14:17, Smith, Donald wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> How much of this can be shared?
>>
>> upstreams might be willing to look at this and perhaps block it?
>>
>> $ whois -h upstream-whois.cymru.com 212.73.150.63
>> PEER_AS | IP | AS Name
>> 174 | 212.73.150.63 | COGENT-174 - Cogent Communications, US
>> 2914 | 212.73.150.63 | NTT-COMMUNICATIONS-2914 - NTT America, Inc., US
>> 3356 | 212.73.150.63 | LEVEL3 - Level 3 Parent, LLC, US
>> 6939 | 212.73.150.63 | HURRICANE - Hurricane Electric LLC, US
>>  
>>
>> Traceroute goes through cogentco.
>> 13 189 ms 304 ms 306 ms be2182.ccr41.ams03.atlas.cogentco.com
>> [154.54.77.245]
>> 14 203 ms 306 ms 308 ms be2813.ccr41.fra03.atlas.cogentco.com
>> [130.117.0.122]
>> 15 206 ms 305 ms 306 ms be2959.ccr21.muc03.atlas.cogentco.com
>> [154.54.36.54]
>> 16 468 ms 306 ms 307 ms be2974.ccr51.vie01.atlas.cogentco.com
>> [154.54.58.6]
>> 17 477 ms 307 ms 306 ms be3420.ccr51.beg03.atlas.cogentco.com
>> [130.117.0.70]
>> 18 380 ms 334 ms 279 ms be3421.ccr31.sof02.atlas.cogentco.com
>> [130.117.0.93]
>> 19 456 ms 306 ms 307 ms 149.6.69.178
>> 20 347 ms 173 ms 338 ms v70461.vps-ag.com [212.73.150.63]
>>
>>
>> We also use ASAs if it is ok to share I can ask our MSS guys if their
>> seeing this too.
>> Could also run a netflow report see if their hitting our customers.
>>
>>
>> if (initial_ttl!=255) then (rfc5082_compliant==0)
>> Donald.Smith at centurylink.com
>>
>> ________________________________________
>> From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of
>> Dario Ciccarone (dciccaro) [dciccaro at cisco.com]
>> Sent: Thursday, September 19, 2019 3:06 PM
>> To: Barry Greene
>> Cc: White, Gerard; Nsp-Security List
>> Subject: Re: [nsp-sec] Cisco customers experiencing grief from
>> 212.73.150.63
>>
>> ----------- nsp-security Confidential --------
>>
>> Thanks for the suggestion, Barry !
>>
>> That would seem indeed to be an option. At this point in time, we still
>> hope this to be all a big misunderstanding, and somehow being able to
>> convince whoever is doing it to stop, if we ask them kindly.
>>
>> But if it doesn't work and the trend of crashed ASAs continue or worsens
>> . . .
>>
>> Thanks,
>> Dario
>>
>> On 9/19/19, 4:39 PM, "Barry Greene" <bgreene at senki.org> wrote:
>>
>>
>> What if we did an ask to selectively Black Hole 212.73.150.63?
>>
>>
>> > On Sep 19, 2019, at 1:32 PM, Dario Ciccarone (dciccaro)
>> <dciccaro at cisco.com> wrote:
>> >
>> > ----------- nsp-security Confidential --------
>> >
>> > Gerard:
>> >
>> > Thanks for getting back to me on this !
>> >
>> > And thanks for sharing this information - we appreciate the
>> confirmation this activity cannot be considered "benign" or
>> "well intentioned"
>> >
>> > We will continue with our attempts to somehow establish a
>> communication channel with this SP, and hopefully get to the
>> bottom of this.
>> >
>> > Thanks again,
>> > Dario
>> >
>> >
>> >
>> > On 9/19/19, 4:05 PM, "White, Gerard"
>> <gerard.white at bellaliant.ca> wrote:
>> >
>> > Greetings.
>> >
>> > Definitely not port scanning, this /32 is doing "selective"
>> hits... appears to be operating on a specific "list" of
>> targets. Makes 2 attempts per target using 2 sequential TCP
>> sockets.
>> >
>> > GW
>> >
>> > -----Original Message-----
>> > From: nsp-security <nsp-security-bounces at puck.nether.net> On
>> Behalf Of Dario Ciccarone (dciccaro)
>> > Sent: September-19-19 2:08 PM
>> > To: nsp-security at puck.nether.net
>> > Subject: [EXT][nsp-sec] Cisco customers experiencing grief from
>> 212.73.150.63
>> >
>> > ----------- nsp-security Confidential --------
>> >
>> > Folks:
>> >
>> > As the subject says – some of our customers
>> are having a hard time of it thanks to
>> 212.73.150.63. This IP address is connecting to
>> our customers’ ASA devices on port 443/tcp,
>> and triggering CSCvi16029 – which was
>> released as part of a Cisco Security Advisory
>> back in 2018 -
>> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2ftools.cisco.com%2fsecurity%2fcenter%2fcontent%2fCiscoSecurityAdvisory%2fcisco%2dsa%2d20180606%2dasaftd&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-cc164833e49cb7fe1e8c479771667d538664d106
>> >
>> > We have seen a significant spike in crashes in
>> the last two weeks, and TAC has been able to
>> track those down to connections from this IP
>> address. The vulnerability characteristics are
>> such that we can rule out these crash being
>> triggered “by accident†– we are pretty
>> sure these connections are either attempts to
>> find Cisco ASA devices affected by this
>> vulnerability, OR attempts to exploit a similar
>> vulnerability in someone’s else device. But
>> they’re certainly not benign.
>> >
>> > We have contacted the abuse contact listed in
>> WHOIS ('abuse at vpsag.com') but we have NOT YET
>> received an answer to our contact attempts.
>> I’m hence reaching out to the nsp-sec
>> constituency with two questions :
>> >
>> >
>> > 1. Is this netblock, or this SP, in any way known for
>> hosting miscreants ? (and yes, we’re also working w/ TALOS
>> on this)
>> > 2. Does anyone here have a method to reach out the owner of
>> this netblock, which has been tried before and been
>> successful ? Our request would be for this activity to stop,
>> or at least, being able to talk to whoever is sending these
>> probes to try to make them stop. We have seen before similar
>> behavior when universities or individuals attempt
>> Internet-wide scans for “somethingâ€, and that something
>> may end triggering a vulnerability in our devices.
>> >
>> > Yes, TAC is indicating customers to deploy ACLs to drop
>> connections from this IP address – that still leaves an
>> unknown number of customers open to exploitation: those that
>> have not crashed but will eventually crash when they get their
>> turn.
>> >
>> > Thanks in advance for any help you can provide !
>> >
>> > Dario
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > nsp-security mailing list
>> > nsp-security at puck.nether.net
>> > https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
>> >
>> > Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security community. Confidentiality is essential for
>> effective Internet security counter-measures.
>> > _______________________________________________
>> > ------------------------------------------------------------------------------
>> > External Email: Please use caution when opening links and
>> attachments / Courriel externe: Soyez prudent avec les liens et
>> documents joints
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > nsp-security mailing list
>> > nsp-security at puck.nether.net
>> > https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
>> >
>> > Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> > community. Confidentiality is essential for effective Internet
>> security counter-measures.
>> > _______________________________________________
>>
>>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>> This communication is the property of CenturyLink and may contain
>> confidential or privileged information. Unauthorized use of this
>> communication is strictly prohibited and may be unlawful. If you have
>> received this communication in error, please immediately notify the
>> sender by reply e-mail and destroy all copies of the communication and
>> any attachments.
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list