Thousands of network devices owned by AT&T Internet subscribers in the US have been infected with recently discovered malware that allows the devices to be used in denial of service attacks and attacks on internal networks, researchers said Tuesday.
The attacked device model is the EdgeMarc Enterprise Session Border Controller, a device used by small and medium-sized businesses to protect and manage telephone calls, video conferences, and similar communications in real time. As a bridge between companies and their ISPs, session border controllers have access to a large amount of bandwidth and can access potentially sensitive information, making them ideal for distributed denial of service attacks and for collecting data.
Qihoo 360 researchers in China said They recently spotted a previously unknown botnet and managed to infiltrate one of their command and control servers for a period of three hours before losing access.
“However, during this brief observation, we confirmed that the attacked devices were
EdgeMarc Enterprise Session Border Controller, owned by the telecommunications company AT&T, and that all of the 5.7k active victims we saw during the short period of time were geographically located in the US, ”wrote Qihoo 360 researchers Alex Turing and Hui Wang.
They said they have detected over 100,000 devices accessing the same TLS certificate used by infected drivers, an indication that the pool of affected devices may be much larger. “We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that belonging to the same class of devices the possible impact is real,” they added.
Default credentials reappear
The vulnerability that is exploited to infect devices is tracked as CVE-2017-6079, a command injection flaw that penetration tester Spencer Davis reported in 2017 after using it to successfully hack into a customer’s network. The vulnerability came from an account on the device which, as Davis learned from this document, I had the username and password of “root” and “default”.
Because the vulnerability gives people the ability to remotely gain unrestricted root access, its severity rating came in at 9.8 out of a possible 10. One year after the vulnerability came to light, exploit code was available online.
But it’s unclear whether AT&T or EdgeMarc’s maker Edgewater (now called Ribbon Communications) ever disclosed the vulnerability to users. While third-party services, such as the national vulnerability database notices issued, none of them reported that a patch was ever issued. Ribbon did not respond to an email asking if a patch or advisory was ever released.
An AT&T spokesperson said: “We previously identified this issue, took steps to mitigate it, and continued to investigate. We have no evidence that customer data has been accessed. ”He did not elaborate on when AT&T identified the threats, what the mitigation steps are, if they were successful, or if the company could rule out access to the data. did not respond to a follow-up email.
Qihoo 360 is calling the malware EWDoor, a backdoor play that affects Edgewater devices. Features supported by the malware include:
- Auto update
- Port scan
- File management
- DDoS attack
- Reverse shell
- Execution of arbitrary commands
The basic logic of the back door is described below:
To protect the malware against reverse engineering by researchers or competitors, the developers added several security measures, including:
- Use of TLS encryption at the network level to prevent communication from being intercepted
- Encryption of confidential resources to make it harder to reverse
- Move command server to cloud that works with BT tracker to hide activity
- Modification of the PHT “ABIFLAGS” in executable file to counter qemu-user and some high kernel versions of the Linux sandbox. “This is a relatively rare countermeasure, showing that the author of EwDoor is very familiar with the Linux kernel, QEMU, and Edgewater devices,” the researchers said.
Anyone using one of the affected models should visit Tuesday’s post for indicators of compromise that will show if their device is infected. Readers who find evidence that their device has been hacked: Email me or contact me at Signal +1 650-440-4479. This publication will be updated if additional information is available.