This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A - UTM DNS attack

Hello,

For a few days we have been receiving disturbing mail notifications from our UTM sophos. I hope you can help me to identify and maybe solve the problem. For security reasons, I replaced the public IP of our Sophos UTM.

The notification provides the following information:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2022-09-11 17:06:20
Traffic blocked: yes

Source IP address or host: [PUBLIC IP UTM]
System Uptime      : 86 days 0 hours 9 minutes
System Load        : 0.04
System Version     : Sophos UTM 9.711-5

Please refer to the manual for detailed instructions.

The send limit for this notification has been reached. No further notifications of this type will be sent during this period.

 We do not receive all notifications because the maximum number of mail notifications has been reached. The logs show more blocked requests than notified: 

2022:09:13-00:25:01 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36571 (blizzbauta.com): view default: rpz QNAME NXDOMAIN rewrite blizzbauta.com via blizzbauta.com
2022:09:13-00:34:41 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36596 (cysyonetim.com): view default: rpz QNAME NXDOMAIN rewrite cysyonetim.com via cysyonetim.com
2022:09:13-00:38:57 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36607 (garantitaksi.com): view default: rpz QNAME NXDOMAIN rewrite garantitaksi.com via garantitaksi.com
2022:09:13-01:13:02 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36695 (ngomavibe.co.ke): view default: rpz QNAME NXDOMAIN rewrite ngomavibe.co.ke via ngomavibe.co.ke
2022:09:13-01:13:25 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36696 (pep-egypt.com): view default: rpz QNAME NXDOMAIN rewrite pep-egypt.com via pep-egypt.com
2022:09:13-01:14:11 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36698 (martahzz.com): view default: rpz QNAME NXDOMAIN rewrite martahzz.com via martahzz.com
2022:09:13-01:15:21 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36701 (41d2eb06.info): view default: rpz QNAME NXDOMAIN rewrite 41d2eb06.info via 41d2eb06.info
2022:09:13-01:23:29 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36722 (ifollowya.com): view default: rpz QNAME NXDOMAIN rewrite ifollowya.com via ifollowya.com
2022:09:13-01:32:24 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36745 (sonrepkewa.com): view default: rpz QNAME NXDOMAIN rewrite sonrepkewa.com via sonrepkewa.com
2022:09:13-01:34:43 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36751 (nlpqflkbvkdde.eu): view default: rpz QNAME NXDOMAIN rewrite nlpqflkbvkdde.eu via nlpqflkbvkdde.eu
2022:09:13-01:35:06 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36752 (buscamapa3.top): view default: rpz QNAME NXDOMAIN rewrite buscamapa3.top via buscamapa3.top
2022:09:13-01:38:12 vpn named[4639]: rpz: client [PUBLIC IP UTM]#36760 (evobank.co): view default: rpz QNAME NXDOMAIN rewrite evobank.co via evobank.co

Actions taken : 

  • Complete DNS server scan with SophosScanAndClean.exe and Windows Defender => No detection of infection
  • Activation of DNS debug logs
  • WireShark installation and monitoring of network requests
  • Installation and activation of Sysmon

Action still possible : 

  • Full scan of all PCs
  • Apply the latest update of Sophos UTM

I did not find anything suspicious in sysmon. On the other hand, in WireShark and DNS logs, there is several suspicious requests, but I don't understand them well.

Here's what I found:

Here is my first understanding. A DNS request from 192.168.0.1 (SOPHOS UTM) is forwarded to the DNS server (.210), which cannot resolve it and sends the request to the secondary DNS server (google). I don't know what to think about that... What is sure is that the site on virustotal.com is listed as malicious : vriustotal scan for bucakservisciler.com

Why does SOPHOS UTM forward these DNS Requests at all? Is it possible to use SOPHOS UTM as DNS resolver ? If so, is it possible to block it or to know the originating host of the request on UTM? 

Other screen capture : 

I hope you can help me. Don't hesitate to ask me for more information.

I thank you in advance!



This thread was automatically locked due to age.