{"id":3930,"date":"2021-12-01T18:11:09","date_gmt":"2021-12-01T12:41:09","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3930"},"modified":"2021-12-01T18:11:12","modified_gmt":"2021-12-01T12:41:12","slug":"ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/","title":{"rendered":"EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations"},"content":{"rendered":"\n
A currently discovered botnet is attacking unpatched AT&T enterprise network edge devices utilizing exploits for a four-year-old sensitive Blind Command Insertion security bug. The botnet, also known as EwDoor by security researchers at Xiarch Network Security, targets AT&T customers utilizing EdgeMarch Enterprise Session Border Controller (ESBC) edges devices.<\/p><\/p>\n\n\n\n
EdgeMarc appliances support high-capacity VoIP and data environments, bridging the gap between enterprise networks and their service providers, in this case, the AT&T carrier. However, this also needs the devices to be publically revealed to the Internet, increasing their exposure to remote attacks.<\/p><\/p>\n\n\n\n
Our security researchers also spotted on October 27 when the first attacks targeting Internet \u2013 exposed Edgewater Networks\u2019 devices unpatched against the sensitive CVE-2017-6079 vulnerability initiated.<\/p><\/p>\n\n\n\n
Around 6,000 negotiated devices were spotted in three hours<\/strong><\/h2>\n\n\n\n
The researchers were able to take a quick look at the botnet’s size by registering one of its backup command-and-control (C2) domains and monitoring the requests made from infected devices. During the three hours, they had before the botnet’s operators switched to a different C2 network communication model, researchers could spot roughly 5,700 infected devices.<\/p><\/p>\n\n\n\n
“We confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US,” the researchers said in a report published today.<\/p><\/p>\n\n\n\n
“By back-checking the SSl certificates used by these devices, we found that there were about 100k IPs using the same SSl certificate. We are not sure how many devices corresponding to this IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real.” <\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
What are the Capabilities of Backdoor with DDoS Attack?<\/strong><\/h2>\n\n\n\n
After examining the version captured since they found EwDoor, our researchers say the botnet is likely utilized to start the distributed denial-of-service (DDoS) attacks and as a backdoor to achieve access to the target\u2019s network.<\/p><\/p>\n\n\n\n
It has six major features at this time:<\/p><\/p>\n\n\n\n
Self-updating<\/li>
Port Scanning<\/li>
File Management<\/li>
DDoS Attack<\/li>
Reverse Shell<\/li>
Execution Arbitrary Commands on Negotiated Servers<\/li><\/ul>\n\n\n\n
\u201cSo Far, the EwDoor in our view has undergone 3 versions of updates, and its major functionality can be summarized into 2 main categories of DDoS attacks and Backdoor,\u201d our researchers added. “Based on the attacked devices are telephone communication related, we presume that its main purpose is DDoS attacks, and gathering of sensitive information, such as call logs.”<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
EwDoor utilizes TLS encryption to block network traffic interception attempts and encrypts resources to block malware analysis. Additional technical details on the EwDoor botnet and indicators of compromise (IOCs), including C2 domains and malware sample hashes, can be found in the security researcher\u2019s report.<\/p><\/p>\n\n\n\n
Note: An AT&T insider men told our security researchers that the company found no clue of customers’ data being accessed as a result of these attacks. “We previously identified this issue, have taken steps to mitigate it, and continue to investigate. We have no evidence that customer data was accessed,” AT&T said.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
A currently discovered botnet is attacking unpatched AT&T enterprise network edge devices utilizing exploits for a four-year-old sensitive Blind Command Insertion security bug. The botnet, also known as EwDoor by security researchers at Xiarch Network Security, targets AT&T customers utilizing EdgeMarch Enterprise Session Border Controller (ESBC) edges devices. EdgeMarc appliances support high-capacity VoIP and data […]<\/p>\n","protected":false},"author":2,"featured_media":3934,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"\n
EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"A currently discovered botnet is attacking unpatched AT&T enterprise network edge devices utilizing exploits for a four-year-old sensitive Blind Command Insertion security bug. The botnet, also known as EwDoor by security researchers at Xiarch Network Security, targets AT&T customers utilizing EdgeMarch Enterprise Session Border Controller (ESBC) edges devices. EdgeMarc appliances support high-capacity VoIP and data […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-01T12:41:09+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-12-01T12:41:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/12\/EwDoor-Botnet-Attacking-ATT-Network-Edge-Device-at-US-Organizations-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations\",\"datePublished\":\"2021-12-01T12:41:09+00:00\",\"dateModified\":\"2021-12-01T12:41:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/\"},\"wordCount\":529,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/\",\"url\":\"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/\",\"name\":\"EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-12-01T12:41:09+00:00\",\"dateModified\":\"2021-12-01T12:41:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/","og_locale":"en_US","og_type":"article","og_title":"EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations - Xiarch Solutions Private Limited","og_description":"A currently discovered botnet is attacking unpatched AT&T enterprise network edge devices utilizing exploits for a four-year-old sensitive Blind Command Insertion security bug. The botnet, also known as EwDoor by security researchers at Xiarch Network Security, targets AT&T customers utilizing EdgeMarch Enterprise Session Border Controller (ESBC) edges devices. EdgeMarc appliances support high-capacity VoIP and data […]","og_url":"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-12-01T12:41:09+00:00","article_modified_time":"2021-12-01T12:41:12+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/12\/EwDoor-Botnet-Attacking-ATT-Network-Edge-Device-at-US-Organizations-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations","datePublished":"2021-12-01T12:41:09+00:00","dateModified":"2021-12-01T12:41:12+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/"},"wordCount":529,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/","url":"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/","name":"EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-12-01T12:41:09+00:00","dateModified":"2021-12-01T12:41:12+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/ewdoor-botnet-attacking-att-network-edge-device-at-us-organizations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"EwDoor Botnet Attacking AT&T Network Edge Device at US Organizations"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3930"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3930"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3930\/revisions"}],"predecessor-version":[{"id":3935,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3930\/revisions\/3935"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3934"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/12\/EwDoor-Botnet-Attacking-ATT-Network-Edge-Device-at-US-Organizations-image1.png\")
<\/figure><\/div>\n\n\n\n![\"EwDoor-Botnet-Attacking-AT&T-Network-Edge-Device-at-US-Organizations-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/12\/EwDoor-Botnet-Attacking-ATT-Network-Edge-Device-at-US-Organizations-image2-1024x790.png\")
<\/figure><\/div>\n\n\n\n