Thousands of AT&T customers in the US infected by new data-stealing malware

Front page layout
Site theme
Sign up or login to join the discussions!

Thousands of networking devices belonging to AT&T Internet subscribers in the US have been infected with newly discovered malware that allows the devices to be used in denial-of-service attacks and attacks on internal networks, researchers said on Tuesday.
The device model under attack is the EdgeMarc Enterprise Session Border Controller, an appliance used by small- to medium-sized enterprises to secure and manage phone calls, video conferencing, and similar real-time communications. As the bridge between enterprises and their ISPs, session border controllers have access to ample amounts of bandwidth and can access potentially sensitive information, making them ideal for distributed denial of service attacks and for harvesting data.
Researchers from Qihoo 360 in China said they recently spotted a previously unknown botnet and managed to infiltrate one of its command-and-control servers during a three-hour span before they lost access.
“However, during this brief observation, we confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US,” Qihoo 360 researchers Alex Turing and Hui Wang wrote.
They said they have detected more than 100,000 devices accessing the same TLS certificate used by the infected controllers, an indication that the pool of affected devices may be much bigger. “We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real,” they added.
The vulnerability being exploited to infect the devices is tracked as CVE-2017-6079, a command-injection flaw that penetration tester Spencer Davis reported in 2017 after using it to successfully hack a customer’s network. The vulnerability stemmed from an account in the device that, as Davis learned from this document, had the username and password of “root” and “default.”
Because the vulnerability gives people the ability to remotely gain unfettered root access, its severity rating carried a 9.8 out of a possible 10. A year after the vulnerability came to light, exploit code became available online.
But it’s not clear if AT&T or EdgeMarc manufacturer Edgewater (now named Ribbon Communications) ever disclosed the vulnerability to users. A document available by FTP here, shows the vulnerability was fixed in December, 2018, more than 19 months after Spencer disclose it. It appears the patch required manual updates, a process that can be tedious.
An AT&T spokesman said: “We previously identified this issue, have taken steps to mitigate it and continue to investigate. We have no evidence that customer data was accessed.” He didn’t elaborate on when AT&T identified the threats, what the mitigation steps are, whether they were successful, or if the company could rule out data access. The spokesman didn’t respond to a follow-up email.
Qihoo 360 is calling the malware EWDoor, a play on it being a backdoor affecting Edgewater devices. Functions supported by the malware include:
The basic logic of the backdoor is depicted below:
To protect the malware against reverse engineering by researchers or competitors, the developers added several safeguards, including:
Anyone using one of the affected models should visit Tuesday’s post to obtain indicators of compromise that will show if their device is infected. Readers who find evidence their device has been hacked: Please email me or contact me at +1650-440-4479 by Signal. This post will be updated if additional information becomes available.
Post updated to report FTP document indicating the vulnerability was fixed by December 2018.
You must to comment.
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
CNMN Collection
WIRED Media Group
© 2021 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy.
Your California Privacy Rights | Do Not Sell My Personal Information
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.
Ad Choices

Tech Consultant Chris Hood and Business Strategist.

Leave a Reply

Your email address will not be published. Required fields are marked *