Hi,
the SOPHOS UTM Firewall of one of our Clients sporadically reports an ATP-Threat (Botnet/command-and-control traffic) that has been blocked. The "infected" Hosts are always the two Domain Controllers / DNS Servers within the network.
| User/Host | Threat Name | Destination | Events | Origin | |
| 1 | 172.16.130.11 | C2/Generic-A | 185.220.100.244 | 1 | AFCd |
AV-Scan of the Servers has always been clean. Most likely not the DNS Servers itself are to be infected, but some client requesting melicious domains.
To get down to the infected client we activated Windows DNS Server analytical logs, so that we can track down the DNS Querys that get blocked, which has worked out so far. The following are the relevant log entries of one of the DNS Servers:
QUERY_RECEIVED: TCP=0; InterfaceIP=172.16.130.11; Source=172.16.130.1; RD=1; QNAME=tor-exit-5.zbau.f3netze.de.; QTYPE=1; XID=52214; Port=48389; Flags=256
RECURSE_QUERY_TIMEOUT: TCP=0; InterfaceIP=0.0.0.0; Destination=1.1.1.1; QNAME=tor-exit-5.zbau.f3netze.de.; QTYPE=1; QXID=29252; XID=55562; Port=0; Flags=256; RecursionScope=.; CacheScope=Default; AdditionalInfo = VirtualizationInstance: .;
Finding 1: Some Client (172.16.130.1) requests a Tor exit node.
Finding 2: Guess which client this IP 172.16.130.1 is? The SOPHOS UTM itself.
My guess was, that some Client in a different subnet (Guest Network / IoT Network) uses the SOPHOS XG as DNS Resolver, which forwards the DNS Requests to the internal Domain Servers. So we reconfigured the Network.
IoT Network now directly uses the Windows DNS Servers (Firewall Rule IoT -> DNS Server : DNS : allow added)
--> If the requests come from IoT Network we should be able to see the IP-Address of the client within the Windows DNS Server logs
Guest Network now uses 1.1.1.1 / 9.9.9.9 DNS Servers (Firewall Rule Guest -> 1.1.1.1/9.9.9.9 : DNS : allow added)
--> SOPHOS Should block the DNS Requests now directly, showing the "infected" client.
My Hope was, that we would be able now, to track down the actual client. And in the meantime we actually found an Employee who uses Tor-Browser on his iPhone (using this exact Exit Node). We found this, because for some reason he was using the internal WiFi... (As a consequence we activated a MAC-Filter on internal WIFi and instructed the CEO of the client to not use the internal Wifi for employee Phones)
We first thought that this would be the "End of the story" but today I got another ATP notification (see table above). And again its the Windows DNS Servers forwarding this DNS Request from SOPHOS UTM Firewall.
Does Someone have an Idea what we could do to get rid of these ATP Notifications and actually track down what is causing them? AFAIK the SOPHOS UTM should not be used as DNS Forwarder from any device anymore... But we can't be sure.
Here are some Questions that I don't have an answer to:
- Why does SOPHOS UTM forward these DNS Requests at all? Shouldn't they be dropped in the first place showing the actual client?
- Is it possible to log all DNS Requests within SOPHOS UTM Firewall, so that we could check these logs as well?
Thank you very much for your help!
This thread was automatically locked due to age.
