EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations

EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations

A currently discovered botnet is attacking unpatched AT&T enterprise network edge devices utilizing exploits for a four-year-old sensitive Blind Command Insertion security bug. The botnet, also known as EwDoor by security researchers at Xiarch Network Security, targets AT&T customers utilizing EdgeMarch Enterprise Session Border Controller (ESBC) edges devices.

EdgeMarc appliances support high-capacity VoIP and data environments, bridging the gap between enterprise networks and their service providers, in this case, the AT&T carrier. However, this also needs the devices to be publically revealed to the Internet, increasing their exposure to remote attacks.

Our security researchers also spotted on October 27 when the first attacks targeting Internet – exposed Edgewater Networks’ devices unpatched against the sensitive CVE-2017-6079 vulnerability initiated.

Around 6,000 negotiated devices were spotted in three hours

The researchers were able to take a quick look at the botnet’s size by registering one of its backup command-and-control (C2) domains and monitoring the requests made from infected devices. During the three hours, they had before the botnet’s operators switched to a different C2 network communication model, researchers could spot roughly 5,700 infected devices.

“We confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US,” the researchers said in a report published today.

“By back-checking the SSl certificates used by these devices, we found that there were about 100k IPs using the same SSl certificate. We are not sure how many devices corresponding to this IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real.”       

What are the Capabilities of Backdoor with DDoS Attack?

After examining the version captured since they found EwDoor, our researchers say the botnet is likely utilized to start the distributed denial-of-service (DDoS) attacks and as a backdoor to achieve access to the target’s network.

It has six major features at this time:

  • Self-updating
  • Port Scanning
  • File Management
  • DDoS Attack
  • Reverse Shell
  • Execution Arbitrary Commands on Negotiated Servers

“So Far, the EwDoor in our view has undergone 3 versions of updates, and its major functionality can be summarized into 2 main categories of DDoS attacks and Backdoor,” our researchers added. “Based on the attacked devices are telephone communication related, we presume that its main purpose is DDoS attacks, and gathering of sensitive information, such as call logs.”

EwDoor-Botnet-Attacking-AT&T-Network-Edge-Device-at-US-Organizations-image2

EwDoor utilizes TLS encryption to block network traffic interception attempts and encrypts resources to block malware analysis. Additional technical details on the EwDoor botnet and indicators of compromise (IOCs), including C2 domains and malware sample hashes, can be found in the security researcher’s report.

Note: An AT&T insider men told our security researchers that the company found no clue of customers’ data being accessed as a result of these attacks. “We previously identified this issue, have taken steps to mitigate it, and continue to investigate. We have no evidence that customer data was accessed,” AT&T said.

Leave a Reply