AIProtection-Infected Device Prevention and Blocking

[joe scian]

Hi All
I received 9 threat entries on my AC5300 running 384.5 this morning.
Threat - C&C Server ( comand and control server ) on 2 Iphones 6 and 7 running latest versions of IOS. The destination on all 9 entries was www.google.kg.

Not sure whether I should be concerned - any thoughts or feedback welcome.

 

[kfp]

Update signature, check your DNS settings. Do a DNS query manually and see if the IP returned is a known Google IP.

Maybe look into more secure DNS options like DNSSEC, dnscrypt, or DNS-over-{TLS,HTTP} as a preventative measure.

 

[joe scian]

Thanks for feedback - I have DNSSEC enabled and running dnscrypt on router - i am using latest CA cert on router and on Iphone. Maybe it was a false positive. www.google.kg is Googles home page for Kyrgyzstan,

 

[kfp]

Thanks for feedback - I have DNSSEC enabled and running dnscrypt on router - i am using latest CA cert on router and on Iphone. Maybe it was a false positive. www.google.kg is Googles home page for Kyrgyzstan,

If you have all that set up I doubt it was some DNS issue then, probably just false alarm AiProtection. Have you updated the signatures?

Also you mention couple iPhones but on latest iOS, so I assume they’re not jailbroken?

 

[joe scian]

yes correct no jailbreak mod

 

[kfp]

yes correct no jailbreak mod

Unless this comes up again I think we can brush this off as a false positive.

 

[joe scian]

Thank you

 

[agilani]

Could be a bad url being used or simply an e-mail that was opened up. If it keeps happening, you need to look into it more closely.

 

[joe scian]

yes i have a feeling i may have opened a phishing text message on one of the phones. Will keep a watchful eye on it . Thank you

 

[Centrifuge]

Hi All
I received 9 threat entries on my AC5300 running 384.5 this morning.
Threat - C&C Server ( comand and control server ) on 2 Iphones 6 and 7 running latest versions of IOS. The destination on all 9 entries was www.google.kg.

Not sure whether I should be concerned - any thoughts or feedback welcome.

I also had 7 hits (a second apart), on Wednesday for that site on my wife's iPhone. A website I found after some google searching alerted me to turn on security notification in her Whats APP in case things were being hijacked. Just going to keep an eye on it for now.

 

[kfp]

I also had 7 hits (a second apart), on Wednesday for that site on my wife's iPhone. A website I found after some google searching alerted me to turn on security notification in her Whats APP in case things were being hijacked. Just going to keep an eye on it for now.

The URL you linked to does not contain anything related to google.kg, I fail to see the relevance here.

Moreover, the malware seems to be spreading with fake APK (Android file format) so I don’t think it’s related to your wife’s iPhone at all.