AT&T is battling a modular malware termed EwDoor on 5,700 VoIP servers, but it could have a bigger wildcard certification issue.
AT&T is using motion to choose down a botnet that experienced set up store inside of its network, infecting 5,700 VoIP servers that route targeted visitors from organization buyers to upstream cell suppliers.
Researchers from Netlab, a network security division of Chinese tech big Qihoo 360, initial found out what they characterized as a “brand-new botnet” attacking Edgewater Networks units, using a vulnerability in EdgeMarc Business Session Border Controllers, tracked as CVE-2017-6079. Attackers had accessed susceptible servers to install a modular malware strain that researchers dubbed “EwDoor,” researchers disclosed in a report published earlier this week.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The flaw that attackers exploited is a hidden page in the EdgeMarc appliance that permits for user-defined instructions these kinds of as specific iptables routes, etcetera., to be set. An attacker can use the website page as a web shell to execute instructions nonetheless, the shopper side of the web application is not affected by the flaw.
Netlab sooner or later identified the devices as belonging to AT&T, which confirmed the existence of the botnet to analyst company Recorded Future’s The File.
“Based on the [fact that the] attacked products are phone-conversation similar, we presume that [the botnet’s] key purpose is [distributed denial of service] DDoS attacks, and collecting of delicate information and facts, these as contact logs,” Netlab scientists wrote.
AT&T said it is taking “steps to mitigate” the botnet, and so significantly the business has not uncovered proof that it has been weaponized, according to the report released on The Document Wednesday.
“We have no proof that customer facts was accessed,” AT&T reported in an email, in accordance to the report.
Tracking a Botnet
Netlab scientists noticed EwDoor undergoing four updates in between Oct. 27 and Nov. 20 as they tracked the conduct of the botnet. The existing variation of the malware contains 6 key functions: Self-updating, port scanning, file management, DDoS attack, reverse shell and arbitrary command execution, they mentioned.
Even with the size of the botnet, EwDoor’s functionality is pretty straightforward, scientists mentioned. Immediately after installation on an contaminated gadget, it collects device info, then performs a couple prevalent duties these types of as creating persistence and other capabilities.
Soon after this, the malware decrypts a tracker and obtains command-and-management (C2) by accessing the tracker, then last but not least studies the gathered system data to C&C and executes its commands.
Just one interesting factor of the botnet and the servers that have been commandeered by attackers is that researchers located that there have been about 100,000 IPs utilizing the same SSL certificate. SSL certificates act as identities for equipment and are made use of to validate who is connecting to them and if they are connecting to the appropriate method.
“We are not guaranteed how a lot of products corresponding to these IPs could be infected, but we can speculate that as they belong to the exact class of products the feasible effects is serious,” scientists wrote.
Wildcard SSL Certificates?
In truth, the discovery of so several IPs using the identical certificates could sign that AT&T has a a lot more systemic trouble within just its network that allowed for the creation of the botnet and could pave the way for other attacks, mentioned a person security qualified.
“Using the very same SSL certificate for numerous equipment is approximately very similar to people making copies of the passport, which has only the spouse and children name and the whole prolonged loved ones applying the very same passport,” mentioned Murali Palanisamy, main options officer for AppViewX, in an email to Threatpost. “It also generally implies that the default certificate is not replaced or current.”
Certificates like this are named wildcard certificates, he explained, and they expose products to “application-layer protocols allowing for cross-protocol attacks” (ALPACA), a thing that the NSA warned about not long ago.
“One of the least complicated techniques to discover or fingerprint an software with default credentials is to examine for default or same certificates across several equipment,” Palanisamy stated. “This signifies either the device is not thoroughly secured or configured with all the best practices.”
If this is the case, AT&T will have to “urgently acquire action” to protected any server or gadget exposed to an outdoors network to make certain that no one particular is accessing the network by exploiting unencrypted ports, he defined.
“The firm will also have to reimage and safe countless numbers of units and seem at the exposure they have and the back again doors they have set up or accessed,” Palanisamy additional.
There’s a sea of unstructured data on the internet relating to the newest security threats. Sign up Today to study critical ideas of all-natural language processing (NLP) and how to use it to navigate the information ocean and increase context to cybersecurity threats (without the need of remaining an pro!). This Stay, interactive Threatpost Town Corridor, sponsored by Fast 7, will feature security scientists Erick Galinkin of Swift7 and Izzy Lazerson of IntSights (a Immediate7 organization), additionally Threatpost journalist and webinar host, Becky Bracken.
Sign up NOW for the Reside function!
Some parts of this short article are sourced from:
threatpost.com