Ring Device accessing a DNS server in Austria designated as a C&C risk

I have four Ring security cams.
Just recently the stick-up cam has begun trying to reach a DNS server in Austria. According to my firewall security, the server in question poses a C2/Generic-A security threat.
This has just started happening within the last week.
ulogd[20523]: id=“2022” severity=“info” sys=“SecureNet” sub=“packetfilter” name=“Packet dropped (ATP)” action=“drop” fwrule=“63001” initf=“eth1” threatname=“C2/Generic-A” srcmac=“xx:xx:xx:xx:48:72” dstmac=“00:13:3b:11:25:19” srcip=“192.168.5.160” dstip=“185.121.177.177” proto=“17” length=“60” tos=“0x00” prec=“0x00” ttl=“255” srcport=“32091” dstport=“53”
the registered name for the server is “Silent Ghost”, which is rather ominous-sounding.
I performed a factory reset on the device and assigned it a different IP address but the problem is now being flagged on the new address. None of my other cameras are doing this. (Nor any of my other devices or computers.)
You can find out more about this threat at https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Has anyone had a similar experience?
Thankfully my firewall blocks this behavior but I’m concerned that the ring cam firmware may be compromised.

Hi @jerseyguy. Thanks for sharing this information. I suggest reaching out to our support team so out Neighbor Solution Experts can take a look and determine what this is. Please give our support team a call at one of the numbers available here. We’re taking additional steps to protect our team and help reduce the spread of COVID-19, so this has resulted in longer than normal wait times. If you are outside of the US, please read our response to COVID-19 here to see how to contact support.

Hi - I’m getting the same alarm from our sophos firewall.
At the moment this affects 2 cameras out of 8.
Firewall blocked the connection to this 185.121.177.177

Any hints or similar experience?

[Update:]
Found out, that this address above is an OpenNic Tier 2 DNS Resolver.
https://wiki.opennic.org/

But when following https://servers.opennic.org/ the above mentioned IP is not listed.

So the question is still valid…

I’m seeing the same thing from 2 separate cameras. It seems to happen once a week or so

I am also getting the same reports from our Sophos firewall that our new stick up cam is trying to reachout to a suspect IP address 185.121.177.177.

I’m thankful to see that I’m not alone here. Not getting much traction out of Ring. At this point I’m ready to junk the camera and switch to an NVR solution. How can they hope to “sell” us on security when they can’t explain these network anomalies. I’d be happy to be wrong here if someone can explain this network behavior to me.

Thank you for the continued feedback on your experiences, neighbors. I suggest reaching out to our support team so that our Neighbor Solution Experts can help, or escalate you further to our safety and security team for review.

Please give our support team a call at one of the numbers available here . We’re taking additional steps to protect our team and help reduce the spread of COVID-19, so this has resulted in longer than normal wait times. If you are outside of the US, please read our response to COVID-19 here to see how to contact support.

I have spoken at length to your support team with no resolution. I don’t know whether they escalated to your security team for a review but the response I received did not allay my concerns. The fact that others have observed the same behavior should sound alarm bells at Ring (seriously, no pun intended). I’d be willing to accept a perfectly reasonable/plausible explanation. To date I have not received one. I have now disconnected the stickup camera from my network entirely. There’s a lot of malware out there and IOT devices are notoriously vulnerable so when I see something like this I have to be safe rather than sorry.

Hi @jerseyguy @RobRose @Jamman960

Please email your concerns to security@ring.com and lets raise the priority of this.

I logged this directly with the ring security team, over 2 months ago, provided Firewall, DHCP etc. logs for them to review. They came back with a response yesterday and it feels wrong/not addressing the issue. They claim that Sophos is wrong is flagging this IP as suspect, and say that the camera only uses DNS service provided by the DHCP server. That is obviously incorrect as the alert Sophos is detecting is an outbound port 53 (DNS) request to this suspect IP addresss and my DHCP server did not tell the camera to use this DNS server IP address.

I have asked them to explain this in response to last reply below.

"Ring values the trust our neighbors place in us, and we take our customers security seriously. As we continually work to make our devices and services more useful and secure for our users, we are actively developing new security features and capabilities.

I understand you have flagged a concern where you believe our Ring devices were contacting malicious servers. After our assessment, it was determined that the destination IP address was not considered malicious. It seems to have been flagged by Sophos from activity from almost a half a year ago and is currently being utilized by a benign hosting provider. Additionally, any Ring devices would take the DNS server the local network gives them, so DNS requests aren’t something that we have control over.

We strive to provide our neighbors with the ability to control your security within the Ring app. For greater control of your account, you will find added features within the “Control Center” of the app.

Thank you for raising your inquiry up, if you have any additional questions we are happy to review. "

P.S. I’m still getting the security alerts.

185.121.177.177 address research:

  1. A Whois lookup identifies that the address is registered to a in Austria to a person who trades as Silent Ghost e.u.,

  2. The website for Silent Ghost is https://as204136.net/ , if you look you will see that it’s not exactly a mainstream style website,

  3. Further research following the email domains in the Whois lookup reveals this page https://fuslvz.ws/.

Hmm. Again, why is a Ring camera trying to contact this address? It is not a DNS address that my DHCP service asked the camera to use.

hi all,

landed on this community post with exact the same firewall warning.
Schermafbeelding 2021-09-02 om 08.55.18
would be very interested in the technical explanation from Ring.

best regards,
Dimitri

210911 Screenshot Sophos

Same here