Microsoft is hacking my Asterisk??? O_o

Max_Tulyev · November 3, 2020, 7:55pm

Hi All,

I have just seen a number of IPs trying to brute-force my VoIP server from Microsoft network. For example, 13.90.148.133, 20.55.203.249, 40.76.244.210... Traceroute really goes to MSN. More than a half of all usual attempts to hack my Asterisk I got today, came from MSN.

What is happening? Am I missed something?

Mike_Hammett · November 3, 2020, 7:59pm

Azure?

Christian_Kuhtz · November 3, 2020, 8:02pm

https://azure.microsoft.com/en-us/resources/knowledge-center/how-do-i-report-a-security-incident-or-abuse/

How do I report a security incident or abuse?

To report suspected security issues or abuse of Azure, please contact the cert.microsoft.com team, which is available 24/7.

Josh_Luthman · November 3, 2020, 8:03pm

I’ve seen that, a shared IP on Azure that hit my honeypot IP. Ended up being an Xbox authentication IP address one day.

Gary_E_Miller · November 3, 2020, 8:04pm

Yo Max!

Dovid_Bender · November 3, 2020, 8:04pm

No it’s not Microsoft. Welcome to the internet. It’s probably someone on Azure trying to find vulnerable systems. Have a look at some of the Videos from Astricon explaining the pitfalls of voip fraud and security.

https://www.youtube.com/watch?v=9Wzzlo1kfTQ (disclaimer: that’s my talk)
https://www.youtube.com/watch?v=CCDqpJc2aXQ
https://www.youtube.com/watch?v=h5Fw70KzAls
https://www.youtube.com/watch?v=hLFz8mlmKIY

Mike_Hammett · November 3, 2020, 8:05pm

Ah, so then potentially spoofed, trying to get people to honeypot blacklist XBox.

Gary_E_Miller · November 3, 2020, 8:06pm

Yo Christian!

Christian_Kuhtz · November 3, 2020, 8:22pm

Sorry, why is this useless?

Gary_E_Miller · November 3, 2020, 8:25pm

Yo Christian!

Sorry, why is this useless?

Because Azure never, ever, acts on my complaints. None of the
large number I have sent.

From: NANOG <nanog-bounces+chkuhtz=microsoft.com@nanog.org> On Behalf
Of Gary E. Miller Sent: Tuesday, November 3, 2020 12:06 PM
To: Christian Kuhtz via NANOG <nanog@nanog.org>
Subject: [EXTERNAL] Re: Microsoft is hacking my Asterisk??? O_o

Yo Christian!

> To report suspected security issues or abuse of Azure, please
> contact the
> cert.microsoft.com<https://portal.msrc.microsoft.com/engage/cars>
> team, which is available 24/7.

Useless.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
  gem@rellim.com Tel:+1 541 382 8588

      Veritas liberabit vos. -- Quid est veritas?
    "If you can't measure it, you can't improve it." - Lord Kelvin

RGDS
GARY

Dovid_Bender · November 3, 2020, 8:47pm

we have seen 8.8.8.8 end up on some ban lists.

Mike_Hammett · November 3, 2020, 8:52pm

When I had honeypot blacklisting for my whole network, I ran across people spoofing the Google authoritative name servers.