This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A - UTM DNS attack

Hello,

For a few days we have been receiving disturbing mail notifications from our UTM sophos. I hope you can help me to identify and maybe solve the problem. For security reasons, I replaced the public IP of our Sophos UTM.

The notification provides the following information:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2022-09-11 17:06:20
Traffic blocked: yes

Source IP address or host: [PUBLIC IP UTM]
System Uptime      : 86 days 0 hours 9 minutes
System Load        : 0.04
System Version     : Sophos UTM 9.711-5

Please refer to the manual for detailed instructions.

The send limit for this notification has been reached. No further notifications of this type will be sent during this period.

 We do not receive all notifications because the maximum number of mail notifications has been reached. The logs show more blocked requests than notified: 

2022:09:13-00:25:01 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36571 (blizzbauta.com): view default: rpz QNAME NXDOMAIN rewrite blizzbauta.com via blizzbauta.com
2022:09:13-00:34:41 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36596 (cysyonetim.com): view default: rpz QNAME NXDOMAIN rewrite cysyonetim.com via cysyonetim.com
2022:09:13-00:38:57 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36607 (garantitaksi.com): view default: rpz QNAME NXDOMAIN rewrite garantitaksi.com via garantitaksi.com
2022:09:13-01:13:02 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36695 (ngomavibe.co.ke): view default: rpz QNAME NXDOMAIN rewrite ngomavibe.co.ke via ngomavibe.co.ke
2022:09:13-01:13:25 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36696 (pep-egypt.com): view default: rpz QNAME NXDOMAIN rewrite pep-egypt.com via pep-egypt.com
2022:09:13-01:14:11 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36698 (martahzz.com): view default: rpz QNAME NXDOMAIN rewrite martahzz.com via martahzz.com
2022:09:13-01:15:21 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36701 (41d2eb06.info): view default: rpz QNAME NXDOMAIN rewrite 41d2eb06.info via 41d2eb06.info
2022:09:13-01:23:29 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36722 (ifollowya.com): view default: rpz QNAME NXDOMAIN rewrite ifollowya.com via ifollowya.com
2022:09:13-01:32:24 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36745 (sonrepkewa.com): view default: rpz QNAME NXDOMAIN rewrite sonrepkewa.com via sonrepkewa.com
2022:09:13-01:34:43 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36751 (nlpqflkbvkdde.eu): view default: rpz QNAME NXDOMAIN rewrite nlpqflkbvkdde.eu via nlpqflkbvkdde.eu
2022:09:13-01:35:06 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36752 (buscamapa3.top): view default: rpz QNAME NXDOMAIN rewrite buscamapa3.top via buscamapa3.top
2022:09:13-01:38:12 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36760 (evobank.co): view default: rpz QNAME NXDOMAIN rewrite evobank.co via evobank.co

Actions taken : 

  • Complete DNS server scan with SophosScanAndClean.exe and Windows Defender => No detection of infection
  • Activation of DNS debug logs
  • WireShark installation and monitoring of network requests
  • Installation and activation of Sysmon

Action still possible : 

  • Full scan of all PCs
  • Apply the latest update of Sophos UTM

I did not find anything suspicious in sysmon. On the other hand, in WireShark and DNS logs, there is several suspicious requests, but I don't understand them well.

Here's what I found:

Here is my first understanding. A DNS request from 192.168.0.1 (SOPHOS UTM) is forwarded to the DNS server (.210), which cannot resolve it and sends the request to the secondary DNS server (google). I don't know what to think about that... What is sure is that the site on virustotal.com is listed as malicious : vriustotal scan for bucakservisciler.com

Why does SOPHOS UTM forward these DNS Requests at all? Is it possible to use SOPHOS UTM as DNS resolver ? If so, is it possible to block it or to know the originating host of the request on UTM? 

Other screen capture : 

I hope you can help me. Don't hesitate to ask me for more information.

I thank you in advance!



This thread was automatically locked due to age.
Parents
  • Bonjour,

    if you configure your internal DNS-Server to forward DNS-requests it cannot resolve on its own to a public server like Google-DNS, then this observation of DNS-requests you have is completely normal. Then you would need to configure the UTM firewall to further allow DNS requests. I think this is would you have at the moment.

    For "Sophos UTM: Best practices for DNS configuration", you should have a look here: https://support.sophos.com/support/s/article/KB-000034974?language=en_US

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello,

    First of all, thank you for you help.

    I totally agree and this is indeed what is configured and desired. What I don't understand is that this request is from UTM Sophos and i'm sure that it was not made by an employee. Moreover, with WireShark, I have found in the past several spam and suspicious DNS requests with UTM as source.

    Thanks, I have already gone through the DNS best practices.

  • If you allow DNS requests from your internal clients to the UTM, you will have some events like these. Avoid using other servers for DNS with your clients as your internal DNS-servers.

    BTW: can you "Verify the first Answer"?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • If you allow DNS requests from your internal clients to the UTM, you will have some events like these. Avoid using other servers for DNS with your clients as your internal DNS-servers.

    BTW: can you "Verify the first Answer"?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data