AT&T is battling a modular malware called EwDoor on 5,700 VoIP servers, but it could have a larger wildcard certificate problem.
AT&T is taking action to take down a botnet that had set up shop inside its network, infecting 5,700 VoIP servers that route traffic from enterprise customers to upstream mobile providers.
Researchers from Netlab, a network security division of Chinese tech giant Qihoo 360, first discovered what they characterized as a “brand-new botnet” attacking Edgewater Networks devices, using a vulnerability in EdgeMarc Enterprise Session Border Controllers, tracked as CVE-2017-6079. Attackers had accessed vulnerable servers to install a modular malware strain that researchers dubbed “EwDoor,” researchers disclosed in a report published earlier this week.
The flaw that attackers exploited is a hidden page in the EdgeMarc appliance that allows for user-defined commands such as specific iptables routes, etc., to be set. An attacker can use the page as a web shell to execute commands; however, the client side of the web application is not affected by the flaw.
Netlab eventually identified the devices as belonging to AT&T, which confirmed the existence of the botnet to analyst firm Recorded Future’s The Record.
“Based on the [fact that