NBG6617 - many TLS sessions to AWS
Paran0id
Posts: 6 
Freshman Member
Freshman Member
Is it normal for a NGB6617 router to have many (about 1 per second) TLS data transfer sessions to something in the AWS cloud?
I can understand it wanting to check firmware status, but this seems ridiculous and I'm wondering if it is hacked?
Thanks,
Paran0id
#Router_Oct_20180
Comments
-
What is the firmware version of your NGB6617?
Can you share how do you check this behavior?
Is possible to provide the steps and some screenshots?
Can you provide the system information? (Telnet/SSH to NGB6617, type "atsh" command to get.)
0 -
Well it seems it has been totally hacked by a rather sophisticated actor. I captured the traffic and used wireshark to analyze.First it does a whole load of dns to find e.root-servers.net, which doesn't exist (though root-server.net does), does the same for br-lan, also l.gtld-servers.net, eventually finds a dns service that tells it where addgadgets.com is.It does some http with addgadgets.com.Then it does reams and reams of dns with ICANN, which could possibly be botched ddns.Eventually it settles down to do its once-per-second TLS with 54.165.139.227.In the mean time, it does a plaintext ftp check for new firmware with ftp2.zyxel.com, which is perfectly reasonable.What is NOT reasonable, is that once-per-second TLS data transfer.I've ditched this router, replaced it with another - and lo! The suspicious encrypted traffic vanishes.I bought this router a few weeks ago, flashed it with the latest firmware.You have been warned!
0 -
@Paran0id,
In order to provide you with a better assistance, we have contacted you via private message.
Please kindly check your message box.0 -
@Zyxel_Steven: I PMed an offer of PCAP capture and the entire compromised router filesystem on October 26, but have not heard back.
0 -
Judging by the behaviour of the router I believe it to be a version of the most recent VPNfilter.
0 -
@Paran0id,
Please receive the private message in order to provide you the better service.0 -
Zyxel_Steven - I have replied.
0 -
Zyxel_Steven has kindly resolved what the issue is, AWS is used for https://mycloud.zyxel.com/ .Many thanks,Paran0id
1 -
The behavior is:
NBG6617 supports ZYXEL cloud feature (https://mycloud.zyxel.com/), we have to make sure that function works, so it would connect to server (That server is built in Amazon.) every 30 seconds.
0 -
Hello,
I get the same connection on the adress 54.165.139.227 (ec2-54-165-139-227.compute-1.amazonaws.com) with my NAS542.
but I also have another host disturbing :
I installed Darkstat and I see a connection with the host :193.253.155.25 .
between my NAS542 and this host there is a upload to the host of 5,682,517,256 bytes
how can that be?
0
Master Member
Zyxel Employee
Categories
- 6.8K All Categories
- 1.4K Nebula
- 29 Nebula Ideas
- 37 Nebula Status and Incidents
- 3.9K Security
- 200 Security Ideas
- 723 Switch
- 30 Switch Ideas
- 599 WirelessLAN
- 8 WLAN Ideas
- 4.5K Consumer Product
- 98 Service & License
- 214 New and Release
- 38 Security Advisories
- 512 FAQ
- 237 Nebula FAQ
- 117 Security FAQ
- 72 Switch FAQ
- Network Reliability
- Network Security
- IPTV
- Layer 3 Switching & Routing
- Surveillance / ONVIF
- Other Topics
- 65 WirelessLAN FAQ
- 5 Consumer Product FAQ
- Documents
- 30 Nebula Monthly Express
- 43 About Community
- 31 Security Highlight
Consumer Product Help Center
FAQ