[nsp-sec] Cisco customers experiencing grief from 212.73.150.63

Rabbi Rob Thomas robt at cymru.com
Fri Sep 20 06:20:51 EDT 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Dario and all,

Feel free to share with whomever you wish, with attribution, and happy
to answer follow-up questions.

I hope it helps!

Be well!
Rob.


On 9/19/19 11:22 PM, Dario Ciccarone (dciccaro) wrote:
> Thanks a lot, Rob ! This is certainly enlightening.
> 
> What is the classification for this information ? We are working
> internally with the forensics team, the TALOS guys and the Umbrella
> folks. Have *not yet* shared *any information* with any of them,
> besides a "it seems from other nsp-sec members that this particular
> host is hostile".
> 
> Let me know !
> 
> Thanks, Dario
> 
> On 9/19/19, 8:03 PM, "nsp-security on behalf of Rabbi Rob Thomas"
> <nsp-security-bounces at puck.nether.net on behalf of robt at cymru.com>
> wrote:
> 
> ----------- nsp-security Confidential --------
> 
> Dear team,
> 
> Okey we see 340 recent, *possible* victims (SYN+ACK packets
> returned, etc.) in the following ASNs.  Rather than spamming the
> list:  Team, please let me know if you'd like the list of IPs for
> your ASN.  I'm happy to send that along!
> 
> All of our data continues to suggest that this is a targeted attack
> by 212.73.150.63, beginning as far back as 2019-08-31 08:17:24
> UTC.
> 
> I'm going to go hunting for other hosts doing the same.  I'm going
> to see if I can spot the recon effort that predated this activity.
> If there is anything else I can do to help, please don't hesitate
> to ask, Dario!
> 
> 
> 702       UUNET - MCI Communications Services, Inc. d/b/a Verizon 
> Business, US 766       REDIRIS RedIRIS Autonomous System, ES 1213
> HEANET, IE 2514      INFOSPHERE NTT PC Communications, Inc., JP 
> 3215      France Telecom - Orange, FR 3462      HINET Data
> Communication Business Group, TW 3561
> CENTURYLINK-LEGACY-SAVVIS - CenturyLink Communications, LLC, U S 
> 3741      IS, ZA 4230      CLARO S.A., BR 4618      INET-TH-AS
> Internet Thailand Company Limited, TH 4637      ASN-TELSTRA-GLOBAL
> Telstra Global, HK 4657      STARHUB-INTERNET StarHub Ltd, SG 4755
> TATACOMM-AS TATA Communications formerly VSNL is Leading ISP, IN 
> 4782      GSNET Data Communication Business Group, TW 6421
> AS6421 - TATA COMMUNICATIONS (AMERICA) INC, US 8255
> EURO-INFORMATION, FR 9318      SKB-AS SK Broadband Co Ltd, KR 9498
> BBIL-AP BHARTI Airtel Ltd., IN 9829      BSNL-NIB National Internet
> Backbone, IN 10135     EASPNET-AS-AP EASPNET Inc., TW 11179
> ARYAKA-ARIN - Aryaka Networks, Inc., US 12338     EUSKALTEL, ES 
> 13041     CESCA-AC, ES 14061     DIGITALOCEAN-ASN - DigitalOcean,
> LLC, US 14492     DATAPIPE - DataPipe, Inc., US 15085     IMMEDION
> - Immedion, LLC, US 15633     UOC-AS, ES 15734     IDH Equinix
> Connect - Iberia, ES 15964     CAMNET-AS, CM 16371     ACENS_AS
> (Spain) Hosting, housing and VPN services, ES 16509     AMAZON-02 -
> Amazon.com, Inc., US 17408     ABOVE-AS-AP AboveNet Communications
> Taiwan, TW 17547     M1NET-SG-AP M1 NET LTD, SG 17762
> HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd, IN 18101
> RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI,
> IN 20164     JOANN-INET - JO-ANN STORES, LLC, US 20228     NTUA -
> Navajo Tribal Utility Authority, US 20337     SUNYPOLY-ASN - SUNY
> Institute of Technology, US 20940     AKAMAI-ASN1, US 22023     MZ
> - Machine Zone, Inc., US 23688     LINK3-TECH-AS-BD-AP Link3
> Technologies Ltd., BD 24246     PNAPHKG001-AS-AP Internap Network
> Services, HK 24309     CABLELITE-AS-AP Atria Convergence
> Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA,
> IN 25479     IC2-AS, ES 25512     CDT-AS The Czech Republic, CZ 
> 25888     CPQ-CXO-IOMC - Hewlett-Packard Company, US 26769
> BANDCON - Bandcon, US 27357     RACKSPACE - Rackspace Hosting, US 
> 28573     CLARO S.A., BR 30815     DETASAD, SA 34397
> CYBERIA-RUH Cyberia Riyadh Autonomous System, SA 35753     ITC ITC
> AS number, SA 36884     MAROCCONNECT, MA 36926     CKL1-ASN, KE 
> 37053     RSAWEB-AS, ZA 37054     Telecom-Malagasy, MG 37684
> ANGANI-AS, KE 38219     SKODAAUTOINDIA-AS-AP Skoda Auto India
> Pvt.Ltd., IN 39522     CONVERGED, GB 40523     OACYS-INTERNET -
> OACYS TECHNOLOGY, US 42428     SPSNET Autonomous Number for
> Multihomed ISP Environment, SA 43408     SECDATAEU, GB 45187
> RACKSPACE-AP Rackspace IT Hosting AS IT Hosting Provider Hong Kong,
> HK 45271     ICLNET-AS-AP Idea Cellular Limited, IN 45820
> TTSL-MEISISP Tata Teleservices ISP AS, IN 45992     CG-AS-KR
> Construction Guarantee Cooperative, KR 50300     CUSTDC, GB 51375
> VIVA, BH 53070     T-Systems Telecomunicações e Serviços Ltda., BR 
> 55423     JASTEL-NETWORK-TH-IDC-AP JasTel Network, TH 55470
> CYFUTURE-AS-IN Cyfuture India Pvt. Ltd., IN 55824     NKN-CORE-NW
> NKN Core Network, IN 56595     FLUENCY, GB 57795     NGNETWORKS,
> NL 58872     FUJITSU-IN Fujitsu Consulting India Pvt Ltd, IN 58966
> BENCHMARK-AS-IN Benchmark Infotech Services Pvt.Ltd., IN 131195
> SIM-SG-AS-AP SIM Headquarters, SG 131458    WILLIAMSLEA-AS-AP
> WILLIAMS LEA INDIA PRIVATE LIMITED, IN 132242    HOGARTHWW-SG
> Hogarth Worldwide Pte, SG 132303    TATA-SKY-AS-AP Tata Sky Ltd,
> IN 132519    SIKKACABLE-AS-IN Sikka Cable, IN 132764    PINKEYIT-AS
> Pinkey Internet, IN 133276    BIRLASOFT-AS Birlasoft IndiaLtd., IN 
> 135197    MCX-AS Multi Commodity Exchange Of India Ltd, IN 198096
> CICA Centro Informatico Cientifico de Andalucia - CICA, ES 200521
> SEAP-AGE, ES 203708    AXEZ, NL 206713    ASFTV, FR 210137
> LEAR-FRA, DE 262494    Virtex Ltda, BR 264159    Inexa Tecnologia
> LTDA., BR
> 
> 
> Be well, Rob.
> 
> 
> _______________________________________________ nsp-security
> mailing list nsp-security at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for effective
> Internet security counter-measures. 
> _______________________________________________
> 
> 

- -- 
Rabbi Rob Thomas                                           Team Cymru
   "It is easy to believe in freedom of speech for those with whom we
    agree." - Leo McKern
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl2EqAEACgkQQ+hhYvqF
8o180hAAhJu/gIZh1cBppiGMVXc+oY+kDrYLzrr8ae54WRrQgVCwioXauiYXVuaN
SoC657TwriXUBzGph90c9+ambcHvalvJQ+f3Y53h8Ub2/73UxXscU1xVEBXcsWJY
osCldx7eEq8nng0J+JsAOYShb9fTCspiDpY+C8VARm7n7e3HNitrAAfOgvh38Sbw
cXmV2Gj2n8u8CflEygccKRHvCUg89AXTsunN+R+eY8zH1j0ftMz2mTCwBqtvqQDm
kj7fC+nKiFA28tZuC9UwDp0E1GS2rybiQAAhPkfFfp8pR9Bq5YqGubT6CEFwtHAe
XLL/NlTOO5a/HTW8kp3at6RFnw8ArmnlW4KM19wuHOvauoKTZgn8RI5OudIN8ywG
/9hk+IrPwplHTJRESkr8aZ79bwqoC4st7lgW+uduPVjvvLh6klhX6IUL7FizOIoQ
iodSZOH+3i1WdouQlmLT6Nrm3ACEmdMU9HSWYmKdUimjqHbIgO+5l3aDmuEmcUg8
fahlFqgO5lDq1lc8QDKxj9yoh3bAXdxtZHwNQBV5fKinEefzi6KEOOpq9M6CeSFk
/wQrUt2MKmuI/rgZqEXo9g22gh6iOdeaMuhfqkyBg7vyOo3XMUe5IEMr4VawUmEv
He66DpfIV8t4fbR3Ti9juE+7KmbAECxW10SSjuK058z5CbeyOO0=
=UorN
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list