25 Oct
2022
25 Oct
'22
3:53 p.m.
Hi
If so, could you please contact me off-list (attempted your abuse desk
last week) regarding either a joe-job against your company, or a real
incident where our customer involved is hiding his IP in our
network behind cloudflare.
--
Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
26 Oct
26 Oct
11:26 a.m.
Hoi Benoît,
Benoît Panizzon schrieb am Tue, Oct 25, 2022 at 03:53:12PM +0200:
If so, could you please contact me off-list (attempted
your abuse desk
last week) regarding either a joe-job against your company, or a real
incident where our customer involved is hiding his IP in our
network behind cloudflare.
Let me guess: You've got an abuse report to your abuse e-mail address
about some IP ranges and domains (including up-network.ch) which have
no relation to your AS at all?
If yes: You're not the only one.
Regards, Axel
--
/~\ Plain Text Ribbon Campaign | Axel Beckert
\ / Say No to HTML in E-Mail and News | abe(a)deuxchevaux.org (Mail)
X See http://arc.pasp.de/ | abe(a)noone.org (Mail+Jabber)
/ \ I love long mails: http://email.is-not-s.ms/ | https://axel.beckert.ch/
27 Oct
27 Oct
10:45 a.m.
Hi Alex
Let me guess: You've got an abuse report to your
abuse e-mail address
about some IP ranges and domains (including up-network.ch) which have
no relation to your AS at all?
If yes: You're not the only one.
Yes after the 3rd report, from yet another source we got after I sent
the email, the joe-job got quite apparent.
The first report was rather short but could be understood as are report
about https://dashboard.myrdp.gg/login being a phishing site hosted by
one of our customers under the IP: 45.158.77.203
dashboard.myrdp.gg points to a cloudflare proxy. This would not be the
first time somebody sends a complaint to cloudflare, cloudflare
discloses the IP addresses in question. Phishing sites are often hosted
on multiple compromised sites. So that one ip in our network could be
involved, was plausible to me.
So I replied this IP is not in our network and they should check again
with Cloudflare and if an ip was in our network, tell us which one so we
could check with the affected customer.
On Tuesday we got 3 more report from another sender sent to different
abuse and NOC addresses regarding the same phishing site, not the full
URL anymore, but a more sensible list of affected IP addresses:
45.148.119.0/24
171.22.147.0/24
45.148.116.0/24
MyRDP.gg
up-network.ch
Four lines pointing to up-network.
So I guess this is some kind of campaign targeting up-network.
Mit freundlichen Grüssen
-Benoît Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
4:15 p.m.
Hi Benoit,
Benoit Panizzon schrieb am Thu, Oct 27, 2022 at 10:45:31AM +0200:
Ok, we so far just got one such mail.
Let me guess:
You've got an abuse report to your abuse e-mail address
about some IP ranges and domains (including up-network.ch) which have
no relation to your AS at all?
If yes: You're not the only one.
Yes after the 3rd report, from yet another source we got after I sent
the email, the joe-job got quite apparent. The first report was rather short but could be
understood as are report
about https://dashboard.myrdp.gg/login being a phishing site hosted by
one of our customers under the IP: 45.158.77.203
Ok, so you actually have a relation to some of the mentioned assets?
We don't have any.
On Tuesday we got 3 more report from another sender
sent to different
abuse and NOC addresses regarding the same phishing site, not the full
URL anymore, but a more sensible list of affected IP addresses:
45.148.119.0/24
171.22.147.0/24
45.148.116.0/24
MyRDP.gg
up-network.ch
That list is actually the same that we got to our abuse address, too.
For reference, here's the relevant part of that weird mail as we received it:
| Date: Tue, 25 Oct 2022 14:59:36 +0200
| From: abuse(a)cognitive-cloud.com
| To: abuse@[…]
| Subject: Abuse report
| X-Mailer: mail (GNU Mailutils 3.7)
|
| Hello,
|
| We have detected that the AS: "AS203790 - Association UP-NETWORK" is
responsible for hosting a phishing campaign targeting French institutions and private
banks.
|
| We ask you to stop their service completely, an investigation is in progress
|
| 45.148.119.0/24
| 171.22.147.0/24
| 45.148.116.0/24
| MyRDP.gg
| up-network.ch
|
| You can check all the proof here :
| - https://ipinfo.io/AS203790
|
| =================
| 45.148.116.57 macartevitaleameli.fr
| 171.22.147.226 amelicartevitaleverif.com
| 171.22.147.40 assure-cartes.com
| =================
[Signature or at least what seems to be a signature stripped]
I assume that most of these mails looked like this one.
So I guess this is some kind of campaign targeting
up-network.
Yes, I interpret this as trying to convince other organisations to
block up-network.ch's IP ranges in their AS. Which is kinda weird.
First time I see such a request on the abuse address of an unrelated
organisation.
But it is difficult to say if this a helpless, but true request or an
hostile attack.
Asking to block 3x /24 just because of three phishing sites seems a
bit of an overzealous reaction to me, though. This is what blacklists
are for.
Regards, Axel
--
/~\ Plain Text Ribbon Campaign | Axel Beckert
\ / Say No to HTML in E-Mail and News | abe(a)deuxchevaux.org (Mail)
X See http://arc.pasp.de/ | abe(a)noone.org (Mail+Jabber)
/ \ I love long mails: http://email.is-not-s.ms/ | https://axel.beckert.ch/
31 Oct
31 Oct
8:07 a.m.
New subject: [SUSPICIOUS MESSAGE] Phish: Re: Is AS203790 reading this list? (up-network.ch)
Hi Axel
On 27.10.22 16:15, Axel Beckert wrote:
I assume that most of these mails looked like this
one.
I can confirm that we got an email with the same content on our peering
and noc addresses last Friday night, but it was back dated to Tuesday,
so it got marked as spam pretty heavily.
Here's a snippet from the headers, I only redacted the mail server's IP,
in case they are an unrelated email server.
--------
Received: from unknown (HELO ZmoTAQamBxvqwGzx) ([REDACTED-IP])
by mx4.switch.ch with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Oct
2022 23:38:33 +0200
Received: by ZmoTAQamBxvqwGzx (Postfix, from userid 0)
id 5EC8FAA54A; Tue, 25 Oct 2022 19:39:33 +0200 (CEST)
From: <abuse(a)cognitive-cloud.com>
Subject: Abuse report
To: <noc(a)switch.ch>
X-Mailer: mail (GNU Mailutils 3.7)
Message-ID: <20221025173933.5EC8FAA54A@ZmoTAQamBxvqwGzx>
Date: Tue, 25 Oct 2022 19:39:33 +0200
Return-Path: abuse(a)cognitive-cloud.com
X-MS-Exchange-Organization-Network-Message-Id:
1bd4bc1c-d9e4-4c38-08bd-08dab92ce80c
Content-Type: text/plain
--------
If anything this kind of thing makes the senders seem even less trustworthy.
Best,
Joel
--
Joel Busch, Network
SWITCH
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 30, direct +41 44 268 16 58
https://switch.ch https://swit.ch/linkedin https://swit.ch/twitter
218
days inactive
224
days old
4 comments
4 participants
participants (4)
-
Axel Beckert -
Benoit Panizzon -
Benoît Panizzon
-
Joel Busch