Ring Device accessing a DNS server in Austria designated as a C&C risk

I have four Ring security cams.
Just recently the stick-up cam has begun trying to reach a DNS server in Austria. According to my firewall security, the server in question poses a C2/Generic-A security threat.
This has just started happening within the last week.
ulogd[20523]: id=“2022” severity=“info” sys=“SecureNet” sub=“packetfilter” name=“Packet dropped (ATP)” action=“drop” fwrule=“63001” initf=“eth1” threatname=“C2/Generic-A” srcmac=“xx:xx:xx:xx:48:72” dstmac=“00:13:3b:11:25:19” srcip=“192.168.5.160” dstip=“185.121.177.177” proto=“17” length=“60” tos=“0x00” prec=“0x00” ttl=“255” srcport=“32091” dstport=“53”
the registered name for the server is “Silent Ghost”, which is rather ominous-sounding.
I performed a factory reset on the device and assigned it a different IP address but the problem is now being flagged on the new address. None of my other cameras are doing this. (Nor any of my other devices or computers.)
You can find out more about this threat at https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Has anyone had a similar experience?
Thankfully my firewall blocks this behavior but I’m concerned that the ring cam firmware may be compromised.

Hi @jerseyguy. Thanks for sharing this information. I suggest reaching out to our support team so out Neighbor Solution Experts can take a look and determine what this is. Please give our support team a call at one of the numbers available here. We’re taking additional steps to protect our team and help reduce the spread of COVID-19, so this has resulted in longer than normal wait times. If you are outside of the US, please read our response to COVID-19 here to see how to contact support.

Hi - I’m getting the same alarm from our sophos firewall.
At the moment this affects 2 cameras out of 8.
Firewall blocked the connection to this 185.121.177.177

Any hints or similar experience?

[Update:]
Found out, that this address above is an OpenNic Tier 2 DNS Resolver.
https://wiki.opennic.org/

But when following https://servers.opennic.org/ the above mentioned IP is not listed.

So the question is still valid…

I’m seeing the same thing from 2 separate cameras. It seems to happen once a week or so

I am also getting the same reports from our Sophos firewall that our new stick up cam is trying to reachout to a suspect IP address 185.121.177.177.

I’m thankful to see that I’m not alone here. Not getting much traction out of Ring. At this point I’m ready to junk the camera and switch to an NVR solution. How can they hope to “sell” us on security when they can’t explain these network anomalies. I’d be happy to be wrong here if someone can explain this network behavior to me.

Thank you for the continued feedback on your experiences, neighbors. I suggest reaching out to our support team so that our Neighbor Solution Experts can help, or escalate you further to our safety and security team for review.

Please give our support team a call at one of the numbers available here . We’re taking additional steps to protect our team and help reduce the spread of COVID-19, so this has resulted in longer than normal wait times. If you are outside of the US, please read our response to COVID-19 here to see how to contact support.

I have spoken at length to your support team with no resolution. I don’t know whether they escalated to your security team for a review but the response I received did not allay my concerns. The fact that others have observed the same behavior should sound alarm bells at Ring (seriously, no pun intended). I’d be willing to accept a perfectly reasonable/plausible explanation. To date I have not received one. I have now disconnected the stickup camera from my network entirely. There’s a lot of malware out there and IOT devices are notoriously vulnerable so when I see something like this I have to be safe rather than sorry.

Hi @jerseyguy @RobRose @Jamman960

Please email your concerns to security@ring.com and lets raise the priority of this.

I logged this directly with the ring security team, over 2 months ago, provided Firewall, DHCP etc. logs for them to review. They came back with a response yesterday and it feels wrong/not addressing the issue. They claim that Sophos is wrong is flagging this IP as suspect, and say that the camera only uses DNS service provided by the DHCP server. That is obviously incorrect as the alert Sophos is detecting is an outbound port 53 (DNS) request to this suspect IP addresss and my DHCP server did not tell the camera to use this DNS server IP address.

I have asked them to explain this in response to last reply below.

"Ring values the trust our neighbors place in us, and we take our customers security seriously. As we continually work to make our devices and services more useful and secure for our users, we are actively developing new security features and capabilities.

I understand you have flagged a concern where you believe our Ring devices were contacting malicious servers. After our assessment, it was determined that the destination IP address was not considered malicious. It seems to have been flagged by Sophos from activity from almost a half a year ago and is currently being utilized by a benign hosting provider. Additionally, any Ring devices would take the DNS server the local network gives them, so DNS requests aren’t something that we have control over.

We strive to provide our neighbors with the ability to control your security within the Ring app. For greater control of your account, you will find added features within the “Control Center” of the app.

Thank you for raising your inquiry up, if you have any additional questions we are happy to review. "

P.S. I’m still getting the security alerts.

185.121.177.177 address research:

  1. A Whois lookup identifies that the address is registered to a in Austria to a person who trades as Silent Ghost e.u.,

  2. The website for Silent Ghost is https://as204136.net/ , if you look you will see that it’s not exactly a mainstream style website,

  3. Further research following the email domains in the Whois lookup reveals this page https://fuslvz.ws/.

Hmm. Again, why is a Ring camera trying to contact this address? It is not a DNS address that my DHCP service asked the camera to use.

hi all,

landed on this community post with exact the same firewall warning.
Schermafbeelding 2021-09-02 om 08.55.18
would be very interested in the technical explanation from Ring.

best regards,
Dimitri

210911 Screenshot Sophos

Same here

as a follow-up I have now also contacted security@ring.com:

Over the past weeks, I received multiple advanced threat protection warnings from my firewall about blocked outgoing dns request attempts from my stick up cam.
Please refer to community topic Ring Device accessing a DNS server in Austria designated as a C&C risk

Other people are experiencing the same issue.

Can you please investigate again any possible reason why this camera tries to perform dns lookup towards this malicious-flagged public dns server, instead of just relying on the trusted internal dns server on my LAN?

Best case: this is some fallback in the ring software in case home user would screw up big time and this would allow the ring camera to call home anyway based on this direct public dns request.  this should then be dismissed from the moment the device has been registered correctly.

Worst case: Ring is facing a possible security issue with some malicious code trying to resolve for C&C (command&control) server, I am pretty sure threat actors would be more than interested in taking over control of a big amount of Ring camera’s to launch distributed dos attacks against their targets.

Update on my experiance of this:
So ring support eventually sent me out a replacement stick-up camera and exact same behivour seen. This time I was ready and had packet capture running on the firewall. What I am seeing is the stick-up camera is as thought, not restricting itself to only using the DNS server that the network DHCP settings specfiy. I am seeing the camera run DNS queries to at least 7 different DNS servers in addtion to my 1 internal one. The camera seems to send the same DNS requests to each server, looping through them and then moving on to the next server. The DNS server addresses I’m seeing being used include:
77.88.8.8
185.121.177.53
9.9.9.10
9.9.9.9
77.88.8.1
208.67.220.220
8.8.8.8

Please un-mark this as a solution. We are all speaking to support and no solution has been found that route.

Confirmed today our Sophos utm blocked outbound attempts from 2 ring devices on our wifi network to attempt to send DNS traffic to 185.121.177.177. Maybe its time to junk these Ring devices and move on.

Hi all,

I think we finally got to a real solution after months of Ring telling me there was no issue their end:

"
After further research, we have found no malicious activity in regards to your Ring account or devices. Ring has updated our camera firmware to no longer include the use of these IP addresses. Additionally, we would like to reiterate that we have determined that the destination IP address was not considered malicious at the time of access.
"

Ring did not act in a helpful manner on this topic. From the start they denined anything was wrong, and sent back boilerplate excuses and blamed me for having issues my end but stuck with it. Providing them with the packet trace data seemed to have been the proof they could no longer ignore. Bad form Ring on how this was handeled though overall.

@jerseyguy @RobRose @Jamman960 @dimitriz @KlausZH

As this thread indicates, in June of last year I began a lengthy correspondence with Ring regarding an issue with their stickup cam accessing a server in Austria, IP Address 85.121.177.177,

This server is listed as being operated by Kevin Holly trading as Silent Ghost e.U.

At the time, Ring/Amazon disavowed any knowledge of this server but eventually agreed to refund me for the stick-up cam.

Today, it was brought to my attention that a certain Katie Holly lists herself on LinkedIn as Founder of Silent Ghost (Mar 2019) and was an employee of Ring between March 2018 and March 2021. Prior to that she was CEO of FuslVZ Ltd.

(https://www.linkedin.com/in/fusl/?originalSubdomain=at).

On the face of it, it would seem that during her employment with Amazon/Ring she founded a network service that their stickup Ring product was (and possibly still is) using.

This would definitely raise conflict of interest issues in any company I’ve ever worked at, but more importantly, it raises questions about their software control processes since they have insisted that their product would never access a non-Amazon server.

I would hope that Ring has a good explanation for this and could provide appropriate assurances that this could not happen again.

The IP address range defined in RIPE shows:
inetnum: 185.121.177.0 - 185.121.177.255
netname: FUSLVZ-IPV4-1
descr: FuslVZ OpenNIC Anycast DNS Resolver (IPv4-1) - http://dnsrec.meo.ws/
created: 2016-03-18T19:32:31Z
last-modified: 2019-04-17T07:16:28Z
org-name: Kevin Holly trading as Silent Ghost e.U.
org-type: OTHER
address: Himberger Strasse 10/1/5
address: 2435 Ebergassing
address: Austria

I returned my Ring stickup cam so I’ve no way of knowing whether Ring did as your note suggests and removed the impacting code from their camera firmware. Can you confirm that you are no longer seeing this behavior?
Much appreciated.