An attacker has been targeting unpatched AT&T network edge devices via a brand new botnet dubbed EwDoor.
On October 27, 2021, researchers from Qihoo’s Network Security Research Lab (netlab) at 360 discovered the attacks against 5,700 of AT&T’s EdgeMarc Enterprise Session Border Controller devices located in the U.S.
The security firm said the attackers likely exploited an older vulnerability CVE-2017-6079 on impacted EdgeMarc network devices and leveraged EwDoor to launch denial of service (DDoS) attacks and plant backdoors.
“Based on the attacked devices are telephone communication related, we presume that its main purpose is DDoS attacks, and gathering of sensitive information, such as call logs,” netlab noted in the blog post.
“We have captured a total of 3 versions of EwDoor, with version 0.16.0 as a blueprint, we can characterize EwDoor as, a botnet that sends C2 down through BT tracker, uses TLS to protect traffic, and mainly profits by means of DDoS attacks and sensitive data theft, which currently propagates through the Nday vulnerability CVE-2017-6079, mainly targeting EdgeMarc Enterprise Session Border Controller devices,” nlab added.
In addition, EwDoor supports other features such as self updates, file management, reverse shell, port scan, and execute arbitrary comments. More recently, the botnet added a BT Tracker and sandbox confrontation features.
The vulnerability CVE-2017-6079 is caused by a hidden page in the HTTP web-management application on Edgewater Networks Edgemarc appliances that could allow an attacker to run user-defined commands such as setting specific iptables routes. The vulnerability is rated Critical and has a CVSS score of 9.8.
Furthermore, an actor could use the page as web shell to execute commands. The flaw has also been known to exist in firmware as old as 2006.