Thousands of networking devices belonging to AT&T Internet subscribers in the US have been infected with newly discovered malware that allows the devices to be used in denial-of-service attacks and attacks on internal networks, researchers said on Tuesday.
The device model under attack is the EdgeMarc Enterprise Session Border Controller, an appliance used by small- to medium-sized enterprises to secure and manage phone calls, video conferencing, and similar real-time communications. As the bridge between enterprises and their ISPs, session border controllers have access to ample amounts of bandwidth and can access potentially sensitive information, making them ideal for distributed denial of service attacks and for harvesting data.
Researchers from Qihoo 360 in China said they recently spotted a previously unknown botnet and managed to infiltrate one of its command-and-control servers during a three-hour span before they lost access.
“However, during this brief observation, we confirmed that the attacked devices were
EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US,” Qihoo 360 researchers Alex Turing and Hui Wang wrote.
They said they have detected more than 100,000 devices accessing the same TLS certificate used by the infected controllers, an indication that the pool of affected devices may be much bigger. “We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real,” they added.
Default credentials strike again
The vulnerability being exploited to infect the devices is tracked as CVE-2017-6079, a command-injection flaw that penetration tester Spencer Davis reported in 2017 after using it to successfully hack a customer’s network. The vulnerability stemmed from an account in the device that, as Davis learned from this document, had the username and password of “root” and “default.”
Because the vulnerability gives people the ability to remotely gain unfettered root access, its severity rating carried a 9.8 out of a possible 10. A year after the vulnerability came to light, exploit code became available online.
But it’s not clear if AT&T or EdgeMarc manufacturer Edgewater (now named Ribbon Communications) ever disclosed the vulnerability to users. A document available by FTP here, shows the vulnerability was fixed in December, 2018, more than 19 months after Spencer disclose it. It appears the patch required manual updates, a process that can be tedious.
An AT&T spokesman said: “We previously identified this issue, have taken steps to mitigate it and continue to investigate. We have no evidence that customer data was accessed.” He didn’t elaborate on when AT&T identified the threats, what the mitigation steps are, whether they were successful, or if the company could rule out data access. The spokesman didn’t respond to a follow-up email.
Qihoo 360 is calling the malware EWDoor, a play on it being a backdoor affecting Edgewater devices. Functions supported by the malware include:
- Self updating
- Port scanning
- File management
- DDoS attack
- Reverse shell
- Execution of arbitrary commands
The basic logic of the backdoor is depicted below:
To protect the malware against reverse engineering by researchers or competitors, the developers added several safeguards, including:
- Use of TLS encryption at the network level to prevent communication from being intercepted
- Encryption of sensitive resources to make it more difficult to reverse
- Moving the command server to the cloud that works with a BT tracker to obscure activity
- Modification of the “ABIFLAGS” PHT in executable file to counter qemu-user and some high kernel versions of the linux sandbox. “This is a relatively rare countermeasure, which shows that the author of EwDoor is very familiar with the Linux kernel, QEMU, and Edgewater devices,” the researchers said.
Anyone using one of the affected models should visit Tuesday’s post to obtain indicators of compromise that will show if their device is infected. Readers who find evidence their device has been hacked: Please email me or contact me at +1650-440-4479 by Signal. This post will be updated if additional information becomes available.
Post updated to report FTP document indicating the vulnerability was fixed by December 2018.
Author: Dan Goodin