FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs
EwDoor botnet targets AT&T network edge devices at US firms
Android banking malware infects 300,000 Google Play users
Finland warns of Flubot malware heavily targeting Android users
Mozilla fixes critical bug in cross-platform cryptography library
Microsoft Exchange servers hacked to deploy BlackByte ransomware
Get this pocket-sized 4K projector for $200 in extended Cyber Monday
Europol: 18k money mules caught laundering money from online fraud
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
New EwDoor botnet targets AT&T network edge devices at US firms
A recently discovered botnet is attacking unpatched AT&T enterprise network edge devices using exploits for a four-year-old critical severity Blind Command Injection security flaw.
The botnet, dubbed EwDoor by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab), targets AT&T customers using EdgeMarc Enterprise Session Border Controller (ESBC) edge devices.
EdgeMarc appliances support high-capacity VoIP and data environments, bridging the gap between enterprise networks and their service providers, in this case, the AT&T carrier.
However, this also requires the devices to be publicly exposed to the Internet, increasing their exposure to remote attacks.
360 Netlab spotted the botnet on October 27 when the first attacks targeting Internet-exposed Edgewater Networks’ devices unpatched against the critical CVE-2017-6079 vulnerability started.
The researchers were able to take a quick look at the botnet’s size by registering one of its backup command-and-control (C2) domains and monitoring the requests made from infected devices.
During the three hours they had before the botnet’s operators switched to a different C2 network communication model, 360 Netlab could spot roughly 5,700 infected devices.
“We confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US,” the researchers said in a report published today.
“By back-checking the SSl certificates used by these devices, we found that there were about 100k IPs using the same SSl certificate. We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real.”
Our latest blog is about EwDoor Botnet, all its infected devices are located in US, we saw around 6k compromised ips in a short 3 hours time window https://t.co/1YHZZYqR3c
After analyzing the versions captured since they discovered EwDoor, 360 Netlab says the botnet is likely used to launch distributed denial-of-service (DDoS) attacks and as a backdoor to gain access to the targets’ networks.
It currently has six major features: self-updating, port scanning, file management, DDoS attack, reverse shell, and execution of arbitrary commands on compromised servers.
“So far, the EwDoor in our view has undergone 3 versions of updates, and its main functions can be summarized into 2 main categories of DDoS attacks and Backdoor,” 360 Netlab added.
“Based on the attacked devices are telephone communication related, we presume that its main purpose is DDoS attacks, and gathering of sensitive information, such as call logs.”
EwDoor uses TLS encryption to block network traffic interception attempts and encrypts resources to block malware analysis.
Additional technical details on the EwDoor botnet and indicators of compromise (IOCs), including C2 domains and malware sample hashes, can be found in 360 Netlab’s report.
Update: An AT&T spokesperson told BleepingComputer that the company found no evidence of customers’ data being accessed as a result of these attacks.
“We previously identified this issue, have taken steps to mitigate it and continue to investigate. We have no evidence that customer data was accessed,” AT&T said.
Flubot Android malware now spreads via fake security updates
Emotet botnet comeback orchestrated by Conti ransomware gang
Microsoft Authenticator gets new enterprise security features
Here are the new Emotet spam campaigns hitting mailboxes worldwide
Emotet malware is back and rebuilding its botnet via TrickBot
Not a member yet? Register Now
Microsoft Defender scares admins with Emotet false positives
DNA testing firm discloses data breach affecting 2.1 million people
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Marine services provider Swire Pacific Offshore hit by ransomware

Hackers exploit Microsoft MSHTML bug to steal Google, Instagram credsApple sues spyware-maker…

Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS

TellYouThePass ransomware revived in Linux, Windows Log4j attacksCredit card info of 1.8…

DHS announces 'Hack DHS' bug bounty program for vetted researchers

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsBugs in billions…

Microsoft fixes bug blocking Defender for Endpoint on Windows Server

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsNew ransomware now…