Paran0id

Comments

Zyxel_Steven has kindly resolved what the issue is, AWS is used for https://mycloud.zyxel.com/ . Many thanks, Paran0id

in NBG6617 - many TLS sessions to AWS Comment by Paran0id November 2018
Zyxel_Steven - I have replied.

in NBG6617 - many TLS sessions to AWS Comment by Paran0id November 2018
Judging by the behaviour of the router I believe it to be a version of the most recent VPNfilter.

in NBG6617 - many TLS sessions to AWS Comment by Paran0id November 2018
@Zyxel_Steven: I PMed an offer of PCAP capture and the entire compromised router filesystem on October 26, but have not heard back.

in NBG6617 - many TLS sessions to AWS Comment by Paran0id November 2018
Well it seems it has been totally hacked by a rather sophisticated actor. I captured the traffic and used wireshark to analyze. First it does a whole load of dns to find e.root-servers.net, which doesn't exist (though root-server.net does), does the same for br-lan, also l.gtld-servers.net, eventually finds a dns service…

in NBG6617 - many TLS sessions to AWS Comment by Paran0id October 2018