CATEGORIES
home News

AT&T Customers Are Being Infected By A Massive Malware Botnet But User Data Is Allegedly Secure

by Nathan OrdWednesday, December 01, 2021, 12:56 PM EDT
att customers under attack by botnet
If you are an AT&T enterprise customer with some older technology on the edge of your network, your infrastructure may be under attack by a Russian botnet dubbed EwDoor.

In late October this year, researchers at 360 Netlab discovered a threat actor attacking Edgewater Networks' devices using the four-year-old CVE-2017-6079. This vulnerability, when exploited, could allow the attacker to execute commands via a hidden page embedded in the firmware dating back to 2006, according to the National Institute of Standards and Technology's database.

ewdoor layout att customers under attack by botnet
The basic logic of EwDoor's operations.

Subsequently, the researchers named this botnet EwDoor after "it's targeting of Edgewater producers and its Backdoor feature." The initial version of this network used a multi-command-and-control (C2) redundancy mechanism, allowing the researchers to register one of the C2 domains and gain some insights into EwDoor. They found that the 5,700 attacked devices are "EdgeMarc Enterprise Session Border Controllers" belonging to AT&T and geographically located within the United States.

Since that initial insight was gained, the researchers briefly lost sight of EwDoor, but found that there have been three known updates for the network that "can be summarized into 2 main categories of DDoS attacks and Backdoor." The thought is that with these capabilities, which also include "self-updating, port scanning, file management, reverse SHELL, and the execution of arbitrary commands," the threat actor wishes to deny service and gather sensitive information like call logs.

c2 info2 att customers under attack by botnet

Interestingly, the team at 360 Netlab was able to deconstruct the code from EwDoor and found some of the C2 domains and the locations for the downloaded files. Though these have likely changed since the research was published, it shows that the threat actor's efforts to obfuscate their work had flaws.

In any event, AT&T spoke with BleepingComputer and stated that there was "no evidence of customers' data being accessed as a result of these attacks." Specifically, AT&T previously identified this issue, and the company has "taken steps to mitigate it and continue[s] to investigate." Despite this reassurance, it is still concerning that something like this could happen, especially considering the crux of this attack is a highly dangerous four-year-old vulnerability.
Tags:  security, botnet, cybersecurity, at&t, (nyse:att)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment