Paran0id

Zyxel_Steven has kindly resolved what the issue is, AWS is used for https://mycloud.zyxel.com/ . Many thanks, Paran0id

in NBG6617 - many TLS sessions to AWS Comment by Paran0id November 2018

Zyxel_Steven - I have replied.

in NBG6617 - many TLS sessions to AWS Comment by Paran0id November 2018

Judging by the behaviour of the router I believe it to be a version of the most recent VPNfilter.

in NBG6617 - many TLS sessions to AWS Comment by Paran0id November 2018

@Zyxel_Steven: I PMed an offer of PCAP capture and the entire compromised router filesystem on October 26, but have not heard back.

in NBG6617 - many TLS sessions to AWS Comment by Paran0id November 2018

Well it seems it has been totally hacked by a rather sophisticated actor. I captured the traffic and used wireshark to analyze. First it does a whole load of dns to find e.root-servers.net, which doesn't exist (though root-server.net does), does the same for br-lan, also l.gtld-servers.net, eventually finds a dns service…

in NBG6617 - many TLS sessions to AWS Comment by Paran0id October 2018

Paran0id Freshman Member

Comments