EwDoor botnet targets AT&T network edge devices at US firms


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
A recently discovered botnet is attacking unpatched AT&T enterprise network edge devices using exploits for a four-year-old critical severity Blind Command Injection security flaw.
The botnet, dubbed EwDoor by researchers at Qihoo 360's Network Security Research Lab (360 Netlab), targets AT&T customers using EdgeMarc Enterprise Session Border Controller (ESBC) edge devices.
EdgeMarc appliances support high-capacity VoIP and data environments, bridging the gap between enterprise networks and their service providers, in this case, the AT&T carrier.
However, this also requires the devices to be publicly exposed to the Internet, increasing their exposure to remote attacks.
360 Netlab spotted the botnet on October 27 when the first attacks targeting Internet-exposed Edgewater Networks' devices unpatched against the critical CVE-2017-6079 vulnerability started.
"We confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US," the researchers said in a report published today.
"By back-checking the SSl certificates used by these devices, we found that there were about 100k IPs using the same SSl certificate. We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real."


Staff member
Malware Hunter
Jul 27, 2015
The vulnerability being exploited to infect the devices is tracked as CVE-2017-6079, a command-injection flaw that penetration tester Spencer Davis reported in 2017 after using it to successfully hack a customer’s network. The vulnerability stemmed from an account in the device that, as Davis learned from this document, had the username and password of “root” and “default.”

Because the vulnerability gives people the ability to remotely gain unfettered root access, its severity rating carried a 9.8 out of a possible 10. A year after the vulnerability came to light, exploit code became available online.