EwDoor botnet targets AT&T network edge devices at US firms

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,176
Content source
https://www.bleepingcomputer.com/news/security/ewdoor-botnet-targets-atandt-network-edge-devices-at-us-firms/
A recently discovered botnet is attacking unpatched AT&T enterprise network edge devices using exploits for a four-year-old critical severity Blind Command Injection security flaw.
The botnet, dubbed EwDoor by researchers at Qihoo 360's Network Security Research Lab (360 Netlab), targets AT&T customers using EdgeMarc Enterprise Session Border Controller (ESBC) edge devices.
EdgeMarc appliances support high-capacity VoIP and data environments, bridging the gap between enterprise networks and their service providers, in this case, the AT&T carrier.
However, this also requires the devices to be publicly exposed to the Internet, increasing their exposure to remote attacks.
360 Netlab spotted the botnet on October 27 when the first attacks targeting Internet-exposed Edgewater Networks' devices unpatched against the critical CVE-2017-6079 vulnerability started.
Click to expand...
"We confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US," the researchers said in a report published today.
"By back-checking the SSl certificates used by these devices, we found that there were about 100k IPs using the same SSl certificate. We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real."
Click to expand...
www.bleepingcomputer.com

EwDoor botnet targets AT&T network edge devices at US firms

A recently discovered botnet is attacking unpatched AT&T enterprise network edge devices using exploits for a four-year-old critical severity Blind Command Injection security flaw.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
Reactions: upnorth, Venustus, Gandalf_The_Grey and 4 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
The vulnerability being exploited to infect the devices is tracked as CVE-2017-6079, a command-injection flaw that penetration tester Spencer Davis reported in 2017 after using it to successfully hack a customer’s network. The vulnerability stemmed from an account in the device that, as Davis learned from this document, had the username and password of “root” and “default.”

Because the vulnerability gives people the ability to remotely gain unfettered root access, its severity rating carried a 9.8 out of a possible 10. A year after the vulnerability came to light, exploit code became available online.
Click to expand...
arstechnica.com

Thousands of AT&T customers in the US infected by new data-stealing malware

Malware exploits 2017 vulnerability in a widely used network edge device.
arstechnica.com arstechnica.com
 
  • Like
  • +Reputation
Reactions: silversurfer, Gandalf_The_Grey and harlan4096
You must log in or register to reply here.

Similar threads

CyberTech
    • Like
    • +Reputation
What's on your network? These are the devices most at risk of getting hacked
Replies
0
Views
559
News Archive
CyberTech
CyberTech
upnorth
    • Like
    • +Reputation
Evasive KmsdBot Cryptominer/DDoS Bot Targets Gaming, Enterprises
Replies
0
Views
489
News Archive
upnorth
upnorth
Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
Security News 22 Energy Firms Hacked in Largest Coordinated Attack on Denmark’s Critical Infrastructure
Replies
6
Views
1,841
Security News
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top