[nsp-sec] Cisco customers experiencing grief from 212.73.150.63
J. Chambers
jchambers at ucla.edu
Wed Sep 25 13:56:33 EDT 2019
We also see traffic from this IP over the past month.
The activity stopped on 2019-09-20 at 07:37 UTC.
Our flows suggest the activity is unique to the target device, the
attacker spent more time on some IPs than others, up to 10 days on three
of our IPs. See the attached flow summary.
I'll see if I can determine what types of ASAs and versions were involved.
Regards,
--Jason
On 2019-09-19 18:08, Dario Ciccarone (dciccaro) wrote:
> ----------- nsp-security Confidential --------
>
> Folks:
>
> As the subject says – some of our customers are having a hard time of it thanks to 212.73.150.63. This IP address is connecting to our customers’ ASA devices on port 443/tcp, and triggering CSCvi16029 – which was released as part of a Cisco Security Advisory back in 2018 - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd
>
> We have seen a significant spike in crashes in the last two weeks, and TAC has been able to track those down to connections from this IP address. The vulnerability characteristics are such that we can rule out these crash being triggered “by accident” – we are pretty sure these connections are either attempts to find Cisco ASA devices affected by this vulnerability, OR attempts to exploit a similar vulnerability in someone’s else device. But they’re certainly not benign.
>
> We have contacted the abuse contact listed in WHOIS ('abuse at vpsag.com') but we have NOT YET received an answer to our contact attempts. I’m hence reaching out to the nsp-sec constituency with two questions :
>
>
> 1. Is this netblock, or this SP, in any way known for hosting miscreants ? (and yes, we’re also working w/ TALOS on this)
> 2. Does anyone here have a method to reach out the owner of this netblock, which has been tried before and been successful ? Our request would be for this activity to stop, or at least, being able to talk to whoever is sending these probes to try to make them stop. We have seen before similar behavior when universities or individuals attempt Internet-wide scans for “something”, and that something may end triggering a vulnerability in our devices.
>
> Yes, TAC is indicating customers to deploy ACLs to drop connections from this IP address – that still leaves an unknown number of customers open to exploitation: those that have not crashed but will eventually crash when they get their turn.
>
> Thanks in advance for any help you can provide !
>
> Dario
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
-------------- next part --------------
sIP| dIP| dPort| sTime-Earliest| eTime-Latest| Packets| Bytes| Records|
212.73.150.63| 164.67.xx.x| 443| 2019/08/31T08:17:56| 2019/08/31T08:48:56| 12| 608| 4|
212.73.150.63| 164.67.xx.x| 443| 2019/09/01T05:56:20| 2019/09/01T05:56:31| 6| 304| 2|
212.73.150.63| 164.67.xx.x| 443| 2019/09/01T07:43:06| 2019/09/01T10:37:55| 12| 608| 4|
212.73.150.63| 164.67.xx.x| 443| 2019/09/09T08:20:18| 2019/09/19T09:15:19| 129| 16073| 12|
212.73.150.63| 128.97.xx.x| 443| 2019/09/10T03:52:01| 2019/09/20T03:26:05| 133| 19187| 18|
212.73.150.63| 149.142.xx.x| 443| 2019/09/10T08:21:03| 2019/09/20T07:37:02| 138| 20359| 14|
212.73.150.63| 128.97.xx.x| 443| 2019/09/11T04:23:18| 2019/09/11T04:34:21| 44| 6362| 6|
212.73.150.63| 149.142.xx.x| 443| 2019/09/12T11:44:23| 2019/09/12T11:44:27| 32| 3743| 4|
More information about the nsp-security
mailing list