Hi everyone, looks like I have a similar situation to a few people.
NO Windows machines on the network, just OSX and Linux (QNAP). Woke up to over 1400 emails regarding ATP C2/Generic-A. But the originiating seems to be from AFCd? Any idea what this is?
Googling has given me no ideas. Any ideas anyone?
I am having the same issue. It seems to be attempting to reach the domain <random>.app.anmorencai.com
Some information I have found:
Parent server gave glue for app.anmorencai.com to be app.anmorencai.com.qingcdn.com but we resolve that hostname to 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
Local NS list does not match Parent NS list126.96.36.199 was reported by the parent, but not locally188.8.131.52 was reported by the parent, but not locally184.108.40.206 was reported locally, but not by the parent
Though I am unsure what the Origin AFCd is?
Is this a massive DNS cache poisoning attempt by the Chinese military?
Cheers - Bob
Well I would guess that it is more likely to be the Chinese mafia/criminal organisations. Though by seeing the amount of different IP trying to hit my DNS it seems like a large botnet farm.
I did see the reply BSRIA got from Sophos Support, and advice about blocking the source IP's well 80,000 unique hits so far I would have just blocked the whole country but we have clients in China so that is not really an option, I don't have any interns at the moment either that I could put on to this thankless task of blocking each IP address.
Open to any suggestions on this one, though thank fully I did turn off email notification of these events after the first 2000 odd emails...