A newly found botnet is using exploits for a four-year-old critical severity Blind Command Injection security vulnerability to attack unpatched AT&T business network edge devices. AT&T customers that use EdgeMarc Enterprise Session Border Controller (ESBC) edge devices are targeted by the botnet, which has been called EwDoor by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab).
The AT&T carrier’s EdgeMarc products provide high-capacity VoIP and data environments, bridging the gap between business networks and their service providers. However, this necessitates the devices’ public Internet accessibility, increasing their vulnerability to remote cyberattacks. When the initial attacks targeting Internet-exposed Edgewater Networks’ devices unpatched against the major CVE-2017-6079 vulnerability began on October 27, 360 Netlab discovered the botnet.
By registering one of the botnet’s backup command-and-control (C2) domains and tracking requests from infected devices, the researchers were able to get a rapid estimate of the botnet’s magnitude. 360 Netlab detected around 5,700 infected devices in the three hours they had before the botnet’s controllers moved to a different C2 network communication style.
The researchers claimed in a new study that the attacked devices were AT&T’s EdgeMarc Enterprise Session Border Controllers. All 5.7k active victims seen within the brief period were all geographically situated in the United States. 360 Netlab claims the botnet is likely to perform DDoS attacks and as a backdoor to access the targets’ networks.
The six primary functions it presently possesses are self-updating, file management, port scanning, reverse shell, DDoS attack, and execution of arbitrary commands on infected servers. EwDoor encrypts resources to prevent malware analysis and employs TLS encryption to control network traffic eavesdropping.
360 Netlab’s study contains further technical data on the EwDoor botnet and indicators of compromise (IOCs), such as C2 domains and malware sample hashes.