Recently Discovered 'EwDoor' Botnet Targets US AT&T DevicesResearchers Who Accessed Control Center Say at Least 5,700 Edge Devices Linked
A recently discovered botnet is infecting thousands of AT&T internet subscribers in the U.S., using a critical-severity blind command injection flaw first reported in 2017, according to new findings from China-based cybersecurity researchers.
Alex Turing and Hui Wang, researchers in the Network Security Research Lab at Beijing-based Qihoo 360, say a botnet they have called "EwDoor" targets AT&T customers using unpatched EdgeMarc Enterprise Session Border Controller devices. These are used by small and medium-sized businesses to connect enterprise networks with their internet service providers to secure real-time communications including phone calls and video conferencing.
The internet-facing devices, which are linked to sensitive data, can become targets for distributed denial-of-service attacks and data-harvesting attempts, the researchers say.
Turing and Wang say they first detected an attack on Edgewater Networks' devices on Oct. 27 via CVE-2017-6079. The vulnerability, which carries a severity rating of 9.8 out of 10, was first reported in 2017 and can be weaponized to allow for user-defined commands.
Session border controllers with default passwords, including the username "root" and password "default," have previously been compromised.
It is unclear if AT&T or EdgeMarc manufacturer Edgewater Networks disclosed the vulnerability to users, according to Ars Technica, which reports that it was fixed by December 2018, some 19 months after it was disclosed by penetration tester Spencer Davis.
An AT&T spokesperson tells Information Security Media Group, "We previously identified this issue, have taken steps to mitigate it and continue to investigate. We have no evidence that customer data was accessed."
The Qihoo 360 researchers now say attackers leveraging the vulnerability drop a payload that includes "a brand-new botnet" - since labeled EwDoor, a play on "Edgewater" and "backdoor."
Thousands of Devices - or More
Turing and Wang say that after accessing EwDoor's second command-and-control domain, they had three hours to assess it and measure its size before botnet operators switched to a different network communication model. They counted some 5,700 infected devices, all located in the U.S.
"So far, the EwDoor in our view has undergone three versions of updates, and its main functions can be summarized into two main categories of DDoS attacks and backdoor," the resercherds say. "We presume that its main purpose is DDoS attacks, and gathering of sensitive information, such as call logs."
Turing and Wang: "We can characterize EwDoor as a botnet that sends C2 [command and control] down through BT [BitTorrent] tracker, uses TLS [transport layer security] to protect traffic, and mainly profits by means of DDoS attacks and sensitive data theft, which currently propagates through the N-day vulnerability CVE-2017-6079."
Qihoo 360 says the number of infected devices may be significantly larger, too, as it detected more than 100,000 devices accessing the same TLS certificate used by an infected controller. The authors say, "We can speculate that as they belong to the same class of devices, the possible impact is real."
Turing and Wang also estimate that the malware has six major functions, which include:
- Port scanning;
- File management;
- DDoS attacks;
- Reverse SHELL;
- Execute arbitrary commands.
The China-based security firm indicates that the developers also built several safeguards into the malware, some of which include:
- Use of TLS at the network level to prevent communication from being intercepted;
- Sensitive resources encrypted to make it more difficult to reverse;
- Command server moved to the cloud, using a BitTorrent tracker to obscure activity.
"Given the size, activity of EwDoor, and sensitivity of the infected devices, we decided to write this paper to share our findings with the community," the Qihoo 360 researchers say.
Additional technical details, including sample command-and-control domains and malware sample hashes, can be found in the report. The firm urges users to contact it via Twitter if they have additional information related to EwDoor.