SmartThings Trojan Activity - CNC Shadowserver

My security gateway is identifying trojan activity from my SmartThings Hub v1 several times a day without any consistent time. Does anyone know more information on this and why SmartThings is talking to these servers?

1 Like

You should check with SmartThing support, but I think it is the hub communicating with the ST server. Many hubs do that to keep a place mark.

Indicators of Compromise are relevant for an average of less than a minute.

Most likely these CnC server addresses are now false positive, possibly never were anything but false positives.

Which vendor provides your security gateway?

At this point aren’t all AWS IP scopes flagged somewhere? :grin:

3 Likes

That’s a great part of the problem and why the observables have such incredibly short relevant life.

1 Like

I’m using the Synology RT1900ac Router which has an add-on for Network Intrusion.
https://www.synology.com/en-global/products/RT1900ac