In a shocking development, The Master Needler – 220.127.116.11 has been taken offline. The death blow was as simple as notifying Quasi Networks upstream/transit providers, shown in the BGP peer map below.
Once their upstream/transit providers was Cc’d on the email, the floodgates opened and the following response was received:
We are a network operator with thousands of customers which are using services from many of our resellers.
Please dont expect we will reply at our abuse desk to each individual email, this is impossible. If you email us and dont get a response, this doesnt mean your case isnt handled.
all emails sent with CC messages to other addresses are threated as SPAM. Because you should ONLY email the correct abuse address and not waste other departments time.
You should only email our abuse address and not CC to operations and much more email addresses blabla.
So email email@example.com in the future and remove all the bullshit and CC’s. It is also mentioned in the whois of the ip. Operations and gov.request are not mentioned for normal abuse.
noc CC operations @ gov.request @ etc etc. are all unnecessary. Because of all the CC’s your messages will end in our spambox in the abuse ticket system. Serious complaints are sent to the abuse address and nothing else. And they will be handled seriously.
This ip belongs to us, dont see what the ip broker (novogara) has to do with this.
And identify your organisation please in the future, in the meanwhile we will pass through your message to our abuse department.
This is turn triggered an actual human response from firstname.lastname@example.org:
Please remove us from this mailing-list, this is not a customer of ours. We received his request earlier at our support department and we called Charles at QN, they were already working on a fix with authorities and could not immediately filter the traffic.
Have a nice Friday.
However the RDP attacks continued so I sent another follow up and was told:
Our abuse team is still on this customer with authorities, it is part of a larger case.
please ban the ip temporary in your system
(till Thursday if possible). Thank you for understanding.
So I patiently waited until Thursday, June 15 and confirmed the attacks from 18.104.22.168 stopped at 3:42 PM local time.
Is this the last example of cybercriminal activity on Quasi Networks that we’ll see? History says, probably not.
Here is more information regarding Quasi Network’s troubled past courtesy of an article posted on Cisco’s blog last year:
Ecatel is a Dutch hosting provider founded in 2005, registered in the UK, and headquartered in The Hague. It offers offshore hosting options and, over the last decade, has consistently hosted criminal and toxic content , and generated spam and DDoS traffic from its IP space .
In December of 2015, Ecatel changed their network name , and since then, AS29073 is officially called Quasi Networks . More interestingly, Ecatel / Quasi Networks changed its registration from the Netherlands to the Seychelles, which is an offshore jurisdiction. This is a common evasive practice used by unscrupulous hosting providers that we’ve observed for several years.
In April of 2016, Ecatel rebranded yet again, and is now known as Novogara BV. In fact, Ecatel is still selling the same products on 4 different live websites: ecatel.net, ecatel.co.uk, ecatel.info and novogara.com.