NBG6617 - many TLS sessions to AWS

Paran0id
Paran0id Posts: 6  Freshman Member
edited October 2018 in Home Router
Is it normal for a NGB6617 router to have many (about 1 per second) TLS data transfer sessions to something in the AWS cloud?
I can understand it wanting to check firmware status, but this seems ridiculous and I'm wondering if it is hacked?

Thanks,
Paran0id
#Router_Oct_2018
«13

Comments

  • Hill
    Hill Posts: 156  Master Member
    First Anniversary First Comment
    edited October 2018
    What is the firmware version of your NGB6617?

    Can you share how do you check this behavior?
    Is possible to provide the steps and some screenshots?

    Can you provide the system information? (Telnet/SSH to NGB6617, type "atsh" command to get.)

  • Paran0id
    Paran0id Posts: 6  Freshman Member
    Well it seems it has been totally hacked by a rather sophisticated actor. I captured the traffic and used wireshark to analyze.
    First it does a whole load of dns to find e.root-servers.net, which doesn't exist (though root-server.net does), does the same for br-lan, also l.gtld-servers.net, eventually finds a dns service that tells it where addgadgets.com is.
    It does some http with addgadgets.com.
    Then it does reams and reams of dns with ICANN, which could possibly be botched ddns.
    Eventually it settles down to do its once-per-second TLS with 54.165.139.227.
    In the mean time, it does a plaintext ftp check for new firmware with ftp2.zyxel.com, which is perfectly reasonable.

    What is NOT reasonable, is that once-per-second TLS data transfer.

    I've ditched this router, replaced it with another - and lo! The suspicious encrypted traffic vanishes.

    I bought this router a few weeks ago, flashed it with the latest firmware.

    You have been warned!



  • Zyxel_Steven
    Zyxel_Steven Posts: 246  Zyxel Employee
    @Paran0id,
    In order to provide you with a better assistance, we have contacted you via private message.
    Please kindly check your message box.
  • Paran0id
    Paran0id Posts: 6  Freshman Member
    @Zyxel_Steven: I PMed an offer of PCAP capture and the entire compromised router filesystem on October 26, but have not heard back.
  • Paran0id
    Paran0id Posts: 6  Freshman Member
    Judging by the behaviour of the router I believe it to be a version of the most recent VPNfilter.
  • Zyxel_Steven
    Zyxel_Steven Posts: 246  Zyxel Employee
    edited November 2018
    @Paran0id,
    Please receive the private message in order to provide you the better service.
  • Paran0id
    Paran0id Posts: 6  Freshman Member
    Zyxel_Steven - I have replied.
  • Paran0id
    Paran0id Posts: 6  Freshman Member
    Zyxel_Steven has kindly resolved what the issue is, AWS is used for https://mycloud.zyxel.com/ .

    Many thanks,

    Paran0id


  • Zyxel_Steven
    Zyxel_Steven Posts: 246  Zyxel Employee
    edited November 2018
    The behavior is:
    NBG6617 supports ZYXEL cloud feature (https://mycloud.zyxel.com/), we have to make sure that function works, so it would connect to server (That server is built in Amazon.) every 30 seconds.
  • sitro
    sitro Posts: 36  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Hello,
    I get the same connection on the adress 54.165.139.227 (ec2-54-165-139-227.compute-1.amazonaws.com) with my NAS542. 

    but I also have another host disturbing :
    I installed Darkstat and I see a connection with the host  :193.253.155.25 .
    between my NAS542 and this host there is a upload to the host of 5,682,517,256 bytes
    how can that be?

Consumer Product Help Center