Hi
If so, could you please contact me off-list (attempted your abuse desk last week) regarding either a joe-job against your company, or a real incident where our customer involved is hiding his IP in our network behind cloudflare.
Hoi Benoît,
Benoît Panizzon schrieb am Tue, Oct 25, 2022 at 03:53:12PM +0200:
If so, could you please contact me off-list (attempted your abuse desk last week) regarding either a joe-job against your company, or a real incident where our customer involved is hiding his IP in our network behind cloudflare.
Let me guess: You've got an abuse report to your abuse e-mail address about some IP ranges and domains (including up-network.ch) which have no relation to your AS at all?
If yes: You're not the only one.
Regards, Axel
Hi Alex
Let me guess: You've got an abuse report to your abuse e-mail address about some IP ranges and domains (including up-network.ch) which have no relation to your AS at all?
If yes: You're not the only one.
Yes after the 3rd report, from yet another source we got after I sent the email, the joe-job got quite apparent.
The first report was rather short but could be understood as are report about https://dashboard.myrdp.gg/login being a phishing site hosted by one of our customers under the IP: 45.158.77.203
dashboard.myrdp.gg points to a cloudflare proxy. This would not be the first time somebody sends a complaint to cloudflare, cloudflare discloses the IP addresses in question. Phishing sites are often hosted on multiple compromised sites. So that one ip in our network could be involved, was plausible to me.
So I replied this IP is not in our network and they should check again with Cloudflare and if an ip was in our network, tell us which one so we could check with the affected customer.
On Tuesday we got 3 more report from another sender sent to different abuse and NOC addresses regarding the same phishing site, not the full URL anymore, but a more sensible list of affected IP addresses:
45.148.119.0/24 171.22.147.0/24 45.148.116.0/24 MyRDP.gg up-network.ch
Four lines pointing to up-network.
So I guess this is some kind of campaign targeting up-network.
Mit freundlichen Grüssen
-Benoît Panizzon-
Hi Benoit,
Benoit Panizzon schrieb am Thu, Oct 27, 2022 at 10:45:31AM +0200:
Let me guess: You've got an abuse report to your abuse e-mail address about some IP ranges and domains (including up-network.ch) which have no relation to your AS at all?
If yes: You're not the only one.
Yes after the 3rd report, from yet another source we got after I sent the email, the joe-job got quite apparent.
Ok, we so far just got one such mail.
The first report was rather short but could be understood as are report about https://dashboard.myrdp.gg/login being a phishing site hosted by one of our customers under the IP: 45.158.77.203
Ok, so you actually have a relation to some of the mentioned assets? We don't have any.
On Tuesday we got 3 more report from another sender sent to different abuse and NOC addresses regarding the same phishing site, not the full URL anymore, but a more sensible list of affected IP addresses:
45.148.119.0/24 171.22.147.0/24 45.148.116.0/24 MyRDP.gg up-network.ch
That list is actually the same that we got to our abuse address, too. For reference, here's the relevant part of that weird mail as we received it:
| Date: Tue, 25 Oct 2022 14:59:36 +0200 | From: abuse@cognitive-cloud.com | To: abuse@[…] | Subject: Abuse report | X-Mailer: mail (GNU Mailutils 3.7) | | Hello, | | We have detected that the AS: "AS203790 - Association UP-NETWORK" is responsible for hosting a phishing campaign targeting French institutions and private banks. | | We ask you to stop their service completely, an investigation is in progress | | 45.148.119.0/24 | 171.22.147.0/24 | 45.148.116.0/24 | MyRDP.gg | up-network.ch | | You can check all the proof here : | - https://ipinfo.io/AS203790 | | ================= | 45.148.116.57 macartevitaleameli.fr | 171.22.147.226 amelicartevitaleverif.com | 171.22.147.40 assure-cartes.com | ================= [Signature or at least what seems to be a signature stripped]
I assume that most of these mails looked like this one.
So I guess this is some kind of campaign targeting up-network.
Yes, I interpret this as trying to convince other organisations to block up-network.ch's IP ranges in their AS. Which is kinda weird. First time I see such a request on the abuse address of an unrelated organisation.
But it is difficult to say if this a helpless, but true request or an hostile attack.
Asking to block 3x /24 just because of three phishing sites seems a bit of an overzealous reaction to me, though. This is what blacklists are for.
Regards, Axel
Hi Axel
On 27.10.22 16:15, Axel Beckert wrote:
I assume that most of these mails looked like this one.
I can confirm that we got an email with the same content on our peering and noc addresses last Friday night, but it was back dated to Tuesday, so it got marked as spam pretty heavily.
Here's a snippet from the headers, I only redacted the mail server's IP, in case they are an unrelated email server.
-------- Received: from unknown (HELO ZmoTAQamBxvqwGzx) ([REDACTED-IP]) by mx4.switch.ch with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Oct 2022 23:38:33 +0200 Received: by ZmoTAQamBxvqwGzx (Postfix, from userid 0) id 5EC8FAA54A; Tue, 25 Oct 2022 19:39:33 +0200 (CEST) From: abuse@cognitive-cloud.com Subject: Abuse report To: noc@switch.ch X-Mailer: mail (GNU Mailutils 3.7) Message-ID: 20221025173933.5EC8FAA54A@ZmoTAQamBxvqwGzx Date: Tue, 25 Oct 2022 19:39:33 +0200 Return-Path: abuse@cognitive-cloud.com X-MS-Exchange-Organization-Network-Message-Id: 1bd4bc1c-d9e4-4c38-08bd-08dab92ce80c Content-Type: text/plain --------
If anything this kind of thing makes the senders seem even less trustworthy.
Best, Joel
-
Axel Beckert -
Benoit Panizzon -
Benoît Panizzon
-
Joel Busch