EwDoor Botnet Description
A new botnet threat named EwDoor Botnet has been infecting unprotected AT&T enterprise network edge devices. The threat exploits a four-year-old critical vulnerability tracked as CVE-2017-6079. The exploit allows attackers to gain unfettered root access to the targeted devices remotely.
The specific model attacked in the recent campaign is EdgeMarc Enterprise Session Border Controller. Such devices are commonly used by SMEs (small and medium-sized enterprises) to secure and handle various tasks, such as phone calls, video conferencing or other real-time communication channels. Because they act as a bridge between the organizations and their ISPs, these session border controllers are prime targets for threat actors who wish to launch DDoS (Distributed Denial-of-Service) attacks and collect sensitive information.
Thousands of Compromised Devices
The researchers at Qihoo 360's Network Security Research Lab first detected the EwDoor Botnet threat. They also were able to identify one of the threat actors' Command-and-Control (C2, C&C) servers. In just three hours, the researchers were able to identify approximately 5,700 infected devices. Afterward, the hackers switched to different C2 communication. By checking the SSI certificates of the devices, 360 Netlab found that around 100, 000 IP addresses were using the same SSI certificate.
Analyzing the threat’s functionality reveals that it is mostly geared towards launching DDoS attacks and establishing a backdoor connecting to the victim's network. Current EwDoor Botnet versions are equipped with six main features. It can update itself, scan for ports, manipulate the file system, perform DDoS attacks, start reverse shells, and allow the attackers to execute arbitrary commands on the breached servers.
AT&T has stated that it was aware of the issue and had taken steps to mitigate its impact. So far, the company has found no evidence that the data of its customers has been compromised.