AT&T is combating EwDoor, a piece of modular malware that has infected 5,700 VoIP servers to carry traffic from business clients to upstream mobile service providers, but a broader wildcard certificate issue may be lurking under the surface.
A report published by Netlab this week revealed that a new botnet that targets Edgewater Network devices is using a flaw in EdgeMarc Enterprise Session Border Controllers in order to allow attackers access to vulnerable servers and install modular malware on them.
The new threat has been codenamed “EwDoor” and has been found on devices belonging to AT&T. As per the details that have been revealed, Netlab researchers concluded in a blog post that the botnet’s primary goal is to distribute denial of service (DDoS) attacks and collect sensitive information, such as call records, based on the fact that the targeted devices are telephone communication-related.
Researchers found that, once installed on an infected device, EwDoor collects information about the device and performs a few standard operations, such as establishing persistence. After that, the malware decrypts a tracker and connects to command-and-control (C2) server through the tracker. Next, the malware sends the data it has collected to C&C and executes its commands.
In relation to the revelations of the report, AT&T stated that they have no evidence of unauthorized access to customer data. More details about EwDoor botnet’s activity reveal that there have been four updates of the malware in the period between 27th of October and 20th of November. The latest version has been reported to be able to self-update, scan ports, manage files, perform DDoS attacks and execute reverse shell and arbitrary commands.
Researchers discovered that roughly 100,000 IPs were utilizing the same SSL certificate, which is an intriguing detail about the botnet and the servers that attackers have hijacked. An SSL certificate serves as a device’s identity, and it is used to confirm that it is connecting to the correct system. No one knows exactly how many devices with these IPs are affected, but experts assume that the threat is real since all the infected devices are of a similar type.
As one security expert pointed out, the discovery of so many IPs using the same certificates may indicate that AT&T’s network has a larger system issue, allowing for botnets like this one to take it over. If this is true, AT&T should urgently protect all servers and devices exposed to an outside network to prevent unauthorized access via unencrypted ports. Aside from re-imaging and securing thousands of devices, the company would also have to check the exposure these devices have and the back doors they have been set to access.