I have four Ring security cams.
Just recently the stick-up cam has begun trying to reach a DNS server in Austria. According to my firewall security, the server in question poses a C2/Generic-A security threat.
This has just started happening within the last week.
ulogd: id=“2022” severity=“info” sys=“SecureNet” sub=“packetfilter” name=“Packet dropped (ATP)” action=“drop” fwrule=“63001” initf=“eth1” threatname=“C2/Generic-A” srcmac=“xx:xx:xx:xx:48:72” dstmac=“00:13:3b:11:25:19” srcip=“192.168.5.160” dstip=“220.127.116.11” proto=“17” length=“60” tos=“0x00” prec=“0x00” ttl=“255” srcport=“32091” dstport=“53”
the registered name for the server is “Silent Ghost”, which is rather ominous-sounding.
I performed a factory reset on the device and assigned it a different IP address but the problem is now being flagged on the new address. None of my other cameras are doing this. (Nor any of my other devices or computers.)
You can find out more about this threat at https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Has anyone had a similar experience?
Thankfully my firewall blocks this behavior but I’m concerned that the ring cam firmware may be compromised.
I have four Ring security cams.
Hi @jerseyguy. Thanks for sharing this information. I suggest reaching out to our support team so out Neighbor Solution Experts can take a look and determine what this is. Please give our support team a call at one of the numbers available here. We’re taking additional steps to protect our team and help reduce the spread of COVID-19, so this has resulted in longer than normal wait times. If you are outside of the US, please read our response to COVID-19 here to see how to contact support.
Hi - I’m getting the same alarm from our sophos firewall.
At the moment this affects 2 cameras out of 8.
Firewall blocked the connection to this 18.104.22.168
Any hints or similar experience?
Found out, that this address above is an OpenNic Tier 2 DNS Resolver.
But when following https://servers.opennic.org/ the above mentioned IP is not listed.
So the question is still valid…
I’m seeing the same thing from 2 separate cameras. It seems to happen once a week or so
I am also getting the same reports from our Sophos firewall that our new stick up cam is trying to reachout to a suspect IP address 22.214.171.124.
I’m thankful to see that I’m not alone here. Not getting much traction out of Ring. At this point I’m ready to junk the camera and switch to an NVR solution. How can they hope to “sell” us on security when they can’t explain these network anomalies. I’d be happy to be wrong here if someone can explain this network behavior to me.
Thank you for the continued feedback on your experiences, neighbors. I suggest reaching out to our support team so that our Neighbor Solution Experts can help, or escalate you further to our safety and security team for review.
Please give our support team a call at one of the numbers available here . We’re taking additional steps to protect our team and help reduce the spread of COVID-19, so this has resulted in longer than normal wait times. If you are outside of the US, please read our response to COVID-19 here to see how to contact support.
I have spoken at length to your support team with no resolution. I don’t know whether they escalated to your security team for a review but the response I received did not allay my concerns. The fact that others have observed the same behavior should sound alarm bells at Ring (seriously, no pun intended). I’d be willing to accept a perfectly reasonable/plausible explanation. To date I have not received one. I have now disconnected the stickup camera from my network entirely. There’s a lot of malware out there and IOT devices are notoriously vulnerable so when I see something like this I have to be safe rather than sorry.
Please email your concerns to firstname.lastname@example.org and lets raise the priority of this.
I logged this directly with the ring security team, over 2 months ago, provided Firewall, DHCP etc. logs for them to review. They came back with a response yesterday and it feels wrong/not addressing the issue. They claim that Sophos is wrong is flagging this IP as suspect, and say that the camera only uses DNS service provided by the DHCP server. That is obviously incorrect as the alert Sophos is detecting is an outbound port 53 (DNS) request to this suspect IP addresss and my DHCP server did not tell the camera to use this DNS server IP address.
I have asked them to explain this in response to last reply below.
"Ring values the trust our neighbors place in us, and we take our customers security seriously. As we continually work to make our devices and services more useful and secure for our users, we are actively developing new security features and capabilities.
I understand you have flagged a concern where you believe our Ring devices were contacting malicious servers. After our assessment, it was determined that the destination IP address was not considered malicious. It seems to have been flagged by Sophos from activity from almost a half a year ago and is currently being utilized by a benign hosting provider. Additionally, any Ring devices would take the DNS server the local network gives them, so DNS requests aren’t something that we have control over.
We strive to provide our neighbors with the ability to control your security within the Ring app. For greater control of your account, you will find added features within the “Control Center” of the app.
Thank you for raising your inquiry up, if you have any additional questions we are happy to review. "
P.S. I’m still getting the security alerts.
126.96.36.199 address research:
A Whois lookup identifies that the address is registered to a in Austria to a person who trades as Silent Ghost e.u.,
The website for Silent Ghost is https://as204136.net/ , if you look you will see that it’s not exactly a mainstream style website,
Further research following the email domains in the Whois lookup reveals this page https://fuslvz.ws/.
Hmm. Again, why is a Ring camera trying to contact this address? It is not a DNS address that my DHCP service asked the camera to use.
landed on this community post with exact the same firewall warning.
would be very interested in the technical explanation from Ring.
as a follow-up I have now also contacted email@example.com:
Over the past weeks, I received multiple advanced threat protection warnings from my firewall about blocked outgoing dns request attempts from my stick up cam.
Please refer to community topic Ring Device accessing a DNS server in Austria designated as a C&C risk
Other people are experiencing the same issue.
Can you please investigate again any possible reason why this camera tries to perform dns lookup towards this malicious-flagged public dns server, instead of just relying on the trusted internal dns server on my LAN?
Best case: this is some fallback in the ring software in case home user would screw up big time and this would allow the ring camera to call home anyway based on this direct public dns request. this should then be dismissed from the moment the device has been registered correctly.
Worst case: Ring is facing a possible security issue with some malicious code trying to resolve for C&C (command&control) server, I am pretty sure threat actors would be more than interested in taking over control of a big amount of Ring camera’s to launch distributed dos attacks against their targets.
Update on my experiance of this:
So ring support eventually sent me out a replacement stick-up camera and exact same behivour seen. This time I was ready and had packet capture running on the firewall. What I am seeing is the stick-up camera is as thought, not restricting itself to only using the DNS server that the network DHCP settings specfiy. I am seeing the camera run DNS queries to at least 7 different DNS servers in addtion to my 1 internal one. The camera seems to send the same DNS requests to each server, looping through them and then moving on to the next server. The DNS server addresses I’m seeing being used include:
Please un-mark this as a solution. We are all speaking to support and no solution has been found that route.
Confirmed today our Sophos utm blocked outbound attempts from 2 ring devices on our wifi network to attempt to send DNS traffic to 188.8.131.52. Maybe its time to junk these Ring devices and move on.
I think we finally got to a real solution after months of Ring telling me there was no issue their end:
After further research, we have found no malicious activity in regards to your Ring account or devices. Ring has updated our camera firmware to no longer include the use of these IP addresses. Additionally, we would like to reiterate that we have determined that the destination IP address was not considered malicious at the time of access.
Ring did not act in a helpful manner on this topic. From the start they denined anything was wrong, and sent back boilerplate excuses and blamed me for having issues my end but stuck with it. Providing them with the packet trace data seemed to have been the proof they could no longer ignore. Bad form Ring on how this was handeled though overall.