Hello everyone,
Seeking advice on how to best deal with a possible compromised IoT device.
So the background on this is that i have several vlans in my environment. One of the vlans is my IoT vlan where anything wireless / non-critical goes in here. The firewalls permit this to only outbound internet and cannot access any of the LANs.
Tonight i decided to turn on Suricata on the WAN as i do have inbound rules permitting specific sources to my DMZ all handled through a reverse proxy and some rules for outside monitoring of my WAN interface and Remote Access (Geo Fenced with pfBlocker)
While reviewing the logs i noticed that a particular flow kept recurring. The signature being matched is ‘“ET JA3 Hash - Trojan.AndroidOS.Jocker.snt 1”; ja3_has’
Working backwards i was able to trace it to an internal host in my IoT domain. It goes to a Nixplay digital frame. These devices do run Android in the background. Checking the destination in virus total, the IP is clean but still unsure if this is a legitimate threat or the pattern matcher confusing a legitimate flow for a threat.
Am i worried? If i didnt have the restrictive rule for IoT i would be but for now im not sure how to best rule out this issue. Seeking advice from the community here.