A recently discovered botnet attacks unpatched AT&T corporate network edge devices using exploits for a four-year-old critical severity blind command injection security vulnerability.
The botnet, nicknamed Ew Holder by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab), targets AT&T customers using EdgeMarc Enterprise Session Border Controller (ESBC) devices.
EdgeMarc appliances support high capacity VoIP and data environments, bridging the gap between corporate networks and their service providers, in this case operator AT&T.
However, it also requires devices to be publicly exposed to the internet, which increases their exposure to remote attacks.
360 Netlab spotted the botnet on October 27 when the first attacks targeting Internet-exposed and unpatched Edgewater Networks devices against critical vulnerability CVE-2017-6079 began.
Nearly 6,000 compromised devices spotted in three hours
Researchers were able to take a quick look at the size of the botnet by registering one of its backup Command and Control (C2) domains and monitoring requests made from infected devices.
In the three hours they had before botnet operators switched to another C2 network communication model, 360 Netlab was able to detect approximately 5,700 infected devices.
“We confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, owned by telecommunications company AT&T, and that all 5.7,000 active victims we saw during the short window of time were all located geographically at United States, ”the researchers said in a report released today.
“By cross-checking the SSL certificates used by these devices, we found that there were approximately 100,000 IPs using the same SSL certificate. We do not know how many devices matching these IPs could be infected, but we can assuming they belong to the same class of devices, the possible impact is real. “
Our last blog is about EwDoor Botnet, all of its infected devices are located in the US, we saw around 6000 fps compromised in a short 3 hour window of time https://t.co/1YHZZYqR3c
– 360 Netlab (@ 360Netlab) November 30, 2021
Backdoor with DDoS attack capabilities
After analyzing the versions captured since the discovery of EwDoor, 360 Netlab claims that the botnet is likely used to launch Distributed Denial of Service (DDoS) attacks and as a backdoor to access target networks.
It currently has six main features: automatic update, port scan, file management, DDoS attack, reverse shell, and execution of arbitrary commands on compromised servers.
“So far, the EwDoor, in our opinion, has undergone 3 versions of updates, and its main functions can be summarized in 2 main categories of DDoS and Backdoor attacks,” added 360 Netlab.
“Based on the attacked devices are related to telephone communication, we assume that its main purpose is DDoS attacks and the collection of sensitive information, such as call logs.”
EwDoor uses TLS encryption to block attempts to intercept network traffic and encrypts resources to block malware scanning.
Additional technical details on the EwDoor botnet and Indicators of Compromise (IOC), including C2 domains and malware hash examples, can be found in the 360 Netlab report.