Just a quick note, having discussed this with several of the ISPs
impacted.
It appears that this is limited to the Calix A144 E/G models (we hope).
Hackers are both sending spam out... As well as performing auth attacks.
The auth attacks make sense, since most ISP's are more tolerant of
activities inside their own networks.
Of course, ISPs have been told to block port 25 on egress for almost 20
years, but some still do not do it. And of course, the spam attacks
would not be too successful, many protections automatically stop it from
hitting email servers. (From validation, to DUL range blocking)
MAIL FROM address: [jmqzav-<username>=<domain>@thegpgroup.net]
MAIL FROM address: [uuevoq-<username>=<domain>@4891hillvale.com]
Where username and domain are the RCPT TO address.
I think we all recognize the format of this threat actor and the tools
they use.. and a lot of bad email addresses as recipients..
The AUTH attacks are a little more complicated, it 'could' be that they
are simply pass through auth attacks from behind the same routers
(Windows Auth BOt) that are coincidental, and there is some evidence to
support that.
A reminder, if you are a Calix shop, looking at the egress logs will
help you find some of these. And you will find the IP open to the public
at port :8080
If anyone on this list has decided to 'crack' open or tcpdump the
inbound/outbound traffic of one of those routers, love to have you share
with the list what you found.
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
