[nsp-sec] Cisco customers experiencing grief from 212.73.150.63
Hank Nussbacher
hank at efes.iucc.ac.il
Fri Sep 20 01:28:33 EDT 2019
On 20/09/2019 06:27, Dario Ciccarone (dciccaro) wrote:
VPsag is located in Larnaca:
https://www.vpsag.com/contact.php
No one here from Cyprus that can help out?
Other than the whois contact info of admin at redcluster.org
have you tried the contact info from their support page:
support at vpsag.com
+357.960.768.77 (same number as in whois:
remarks: ------------------- LAW ENFORCEMENT -------------------
remarks: For any law enforcement inquiries, please contact us
remarks: at admin at redcluster.org or by phone at +357.960.768.77)
-Hank
> ----------- nsp-security Confidential --------
>
> We have already, multiple times - no answer.
>
> We plan to continue nagging them - but based on the data collected so far, I think it unlikely they're blind to the kind of activity that is going on within their network space. I would instead think they're very much aware of it, and may even be participants or partners on it.
>
>
> On 9/19/19, 8:09 PM, "Tim April" <tapril at people.ops-trust.net> wrote:
>
> Long short, has anyone tried the abuse contact in whois to see if they can take a look at the machine?
>
> > % Abuse contact for '212.73.150.0 - 212.73.150.255' is 'abuse at vpsag.com'
>
> --tim
>
> On 19 Sep 2019, at 14:17, Smith, Donald wrote:
>
> > ----------- nsp-security Confidential --------
> >
> > How much of this can be shared?
> >
> > upstreams might be willing to look at this and perhaps block it?
> >
> > $ whois -h upstream-whois.cymru.com 212.73.150.63
> > PEER_AS | IP | AS Name
> > 174 | 212.73.150.63 | COGENT-174 - Cogent Communications, US
> > 2914 | 212.73.150.63 | NTT-COMMUNICATIONS-2914 - NTT America, Inc., US
> > 3356 | 212.73.150.63 | LEVEL3 - Level 3 Parent, LLC, US
> > 6939 | 212.73.150.63 | HURRICANE - Hurricane Electric LLC, US
> >
> >
> > Traceroute goes through cogentco.
> > 13 189 ms 304 ms 306 ms be2182.ccr41.ams03.atlas.cogentco.com [154.54.77.245]
> > 14 203 ms 306 ms 308 ms be2813.ccr41.fra03.atlas.cogentco.com [130.117.0.122]
> > 15 206 ms 305 ms 306 ms be2959.ccr21.muc03.atlas.cogentco.com [154.54.36.54]
> > 16 468 ms 306 ms 307 ms be2974.ccr51.vie01.atlas.cogentco.com [154.54.58.6]
> > 17 477 ms 307 ms 306 ms be3420.ccr51.beg03.atlas.cogentco.com [130.117.0.70]
> > 18 380 ms 334 ms 279 ms be3421.ccr31.sof02.atlas.cogentco.com [130.117.0.93]
> > 19 456 ms 306 ms 307 ms 149.6.69.178
> > 20 347 ms 173 ms 338 ms v70461.vps-ag.com [212.73.150.63]
> >
> >
> > We also use ASAs if it is ok to share I can ask our MSS guys if their seeing this too.
> > Could also run a netflow report see if their hitting our customers.
> >
> >
> > if (initial_ttl!=255) then (rfc5082_compliant==0)
> > Donald.Smith at centurylink.com
> >
> > ________________________________________
> > From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Dario Ciccarone (dciccaro) [dciccaro at cisco.com]
> > Sent: Thursday, September 19, 2019 3:06 PM
> > To: Barry Greene
> > Cc: White, Gerard; Nsp-Security List
> > Subject: Re: [nsp-sec] Cisco customers experiencing grief from 212.73.150.63
> >
> > ----------- nsp-security Confidential --------
> >
> > Thanks for the suggestion, Barry !
> >
> > That would seem indeed to be an option. At this point in time, we still hope this to be all a big misunderstanding, and somehow being able to convince whoever is doing it to stop, if we ask them kindly.
> >
> > But if it doesn't work and the trend of crashed ASAs continue or worsens . . .
> >
> > Thanks,
> > Dario
> >
> > On 9/19/19, 4:39 PM, "Barry Greene" <bgreene at senki.org> wrote:
> >
> >
> > What if we did an ask to selectively Black Hole 212.73.150.63?
> >
> >
> > > On Sep 19, 2019, at 1:32 PM, Dario Ciccarone (dciccaro) <dciccaro at cisco.com> wrote:
> > >
> > > ----------- nsp-security Confidential --------
> > >
> > > Gerard:
> > >
> > > Thanks for getting back to me on this !
> > >
> > > And thanks for sharing this information - we appreciate the confirmation this activity cannot be considered "benign" or "well intentioned"
> > >
> > > We will continue with our attempts to somehow establish a communication channel with this SP, and hopefully get to the bottom of this.
> > >
> > > Thanks again,
> > > Dario
> > >
> > >
> > >
> > > On 9/19/19, 4:05 PM, "White, Gerard" <gerard.white at bellaliant.ca> wrote:
> > >
> > > Greetings.
> > >
> > > Definitely not port scanning, this /32 is doing "selective" hits... appears to be operating on a specific "list" of targets. Makes 2 attempts per target using 2 sequential TCP sockets.
> > >
> > > GW
> > >
> > > -----Original Message-----
> > > From: nsp-security <nsp-security-bounces at puck.nether.net> On Behalf Of Dario Ciccarone (dciccaro)
> > > Sent: September-19-19 2:08 PM
> > > To: nsp-security at puck.nether.net
> > > Subject: [EXT][nsp-sec] Cisco customers experiencing grief from 212.73.150.63
> > >
> > > ----------- nsp-security Confidential --------
> > >
> > > Folks:
> > >
> > > As the subject says – some of our customers are having a hard time of it thanks to 212.73.150.63. This IP address is connecting to our customers’ ASA devices on port 443/tcp, and triggering CSCvi16029 – which was released as part of a Cisco Security Advisory back in 2018 - https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2ftools.cisco.com%2fsecurity%2fcenter%2fcontent%2fCiscoSecurityAdvisory%2fcisco%2dsa%2d20180606%2dasaftd&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-cc164833e49cb7fe1e8c479771667d538664d106
> > >
> > > We have seen a significant spike in crashes in the last two weeks, and TAC has been able to track those down to connections from this IP address. The vulnerability characteristics are such that we can rule out these crash being triggered “by accident” – we are pretty sure these connections are either attempts to find Cisco ASA devices affected by this vulnerability, OR attempts to exploit a similar vulnerability in someone’s else device. But they’re certainly not benign.
> > >
> > > We have contacted the abuse contact listed in WHOIS ('abuse at vpsag.com') but we have NOT YET received an answer to our contact attempts. I’m hence reaching out to the nsp-sec constituency with two questions :
> > >
> > >
> > > 1. Is this netblock, or this SP, in any way known for hosting miscreants ? (and yes, we’re also working w/ TALOS on this)
> > > 2. Does anyone here have a method to reach out the owner of this netblock, which has been tried before and been successful ? Our request would be for this activity to stop, or at least, being able to talk to whoever is sending these probes to try to make them stop. We have seen before similar behavior when universities or individuals attempt Internet-wide scans for “something”, and that something may end triggering a vulnerability in our devices.
> > >
> > > Yes, TAC is indicating customers to deploy ACLs to drop connections from this IP address – that still leaves an unknown number of customers open to exploitation: those that have not crashed but will eventually crash when they get their turn.
> > >
> > > Thanks in advance for any help you can provide !
> > >
> > > Dario
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > nsp-security mailing list
> > > nsp-security at puck.nether.net
> > > https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
> > >
> > > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
> > > _______________________________________________
> > > ------------------------------------------------------------------------------
> > > External Email: Please use caution when opening links and attachments / Courriel externe: Soyez prudent avec les liens et documents joints
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > nsp-security mailing list
> > > nsp-security at puck.nether.net
> > > https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
> > >
> > > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > > community. Confidentiality is essential for effective Internet security counter-measures.
> > > _______________________________________________
> >
> >
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security counter-measures.
> > _______________________________________________
> > This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security counter-measures.
> > _______________________________________________
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list