NetLab researchers discovered a malware strain targeting a vulnerability on AT&T devices, affecting 5,700 VoIP servers that route traffic to upstream mobile providers from enterprise customers.
The modular malware, dubbed EwDoor botnet, targeted Edgewater networks devices later determined to be AT&T’s EdgeMarc Enterprise Session Border Controllers.
According to the researchers, the threat actor exploited an unpatched vulnerability CVE-2017-6079 on EdgeMarc servers to install the malware.
The researchers began tracking the botnet in October 2021 and say it primarily targeted victims “geographically located in the US.”
EwDoor botnet enables arbitrary commands on VoIP servers
According to the report published by NetLab, the network security division of Chinese firm Qihoo 360, the botnet exploits a flaw in a hidden EdgeMarc page that allows the users to set custom commands.
The attackers use the page like a webshell to execute arbitrary commands. The frontend, however, is reportedly not affected by the flaw.
Additionally, they discovered that the botnet employed a C2 redundancy strategy by downloading command-and-control server endpoints using a BT tracker. It decrypts the tracker to obtain C2 servers before reporting the device information and executing related commands. The botnet also employs TLS encryption to avoid researchers from intercepting its traffic and identifying its characteristics.
The NetLab researchers has published the list of indicators of compromise and file hashes to help others detect potential compromise.
Botnet focuses on DDoS and information exfiltration
According to the researchers, the motive of the botnet is to execute distributed denial of service (DDoS) attacks and exfiltrate information from compromised VoIP servers.
“Based on the [fact that the] attacked devices are telephone-communication related, we presume that [EwDoor’s] main purpose is DDoS attacks, and gathering of sensitive information, such as call logs,” they suggested.
While EwDoor botnet has undergone several updates, its main functions remain DDoS attacks and Backdoor functionality. Its latest version also included other functions like self-updating mechanisms, port scanning, file management, and reverse shell.
AT&T acknowledged the research findings and said it was taking steps to mitigate the risks facing internet-exposed VoIP servers. The telecom giant also said no customer data was accessed, and the flaw had not been weaponized.
Interestingly, the flaw exploited is a four-year-old vulnerability whose fixes were released 18 months later, according to Bugcrowd founder and CTO Casey Ellis.
Murali Palanisamy, Chief Solutions Officer for AppViewX, was skeptical of AT&T assurances.
“While I’m pleased to see that AT&T is taking this responsibility to look into the botnet that infected more than 5,700 VoIP servers located inside its network, it’s troubling to see that Internet-wide scans suggest that more than 100,000 devices are using the same SSL certificate used on EdgeMarc VoIP servers,” said Palanisamy.
Up to 100,000 VoIP servers could be infected by EwDoor botnet
NetLab researchers only observed the requests made by infected VoIP servers before the malware switched to a different C2 server. They detected the reported 5,700 compromised VoIP servers in just three hours. However, extensive internet scans revealed more than 100,000 VoIP servers using the same SSL certificate used on similar EdgeMarc VoIP servers.
“By back-checking the SSL certificates used by these devices, we found that there were about 100k IPs using the same SSL certificate,” the researchers wrote. “We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real.”
“SSL certificates are the identities for the devices, and that is used to validate who is connecting and if they are connecting to the right system,” explained Palanisamy. “Using the same SSL certificate for multiple devices is roughly similar to people making copies of the passport, which has only the family name and the whole extended family using the same passport.”
He noted that SSL reuse suggests that the default certificate is copied with the application indicating that the application had default credentials and is insecure.
“These certificates, dubbed Wildcard Certificates, expose these devices to Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA) as reported by NSA recently.”
Palanisamy suggested AT&T to secure thousands of other devices that could have already been compromised.
“AT&T needs to urgently take action here — Session Border Controllers (SBCs) handle phone calls from modern phones. The organization will also have to reimage and secure thousands of devices and look at the exposure they have and the back doors they have set up or accessed.”