New EwDoor Botnet Targeting Unpatched AT&T Network Edge Devices

2021-12-01 06:13

A newly discovered botnet capable of staging distributed denial-of-service attacks targeted unpatched Ribbon Communications EdgeMarc appliances belonging to telecom service provider AT&T by exploiting a four-year-old flaw in the network appliances.

Chinese tech giant Qihoo 360's Netlab network security division, which detected the botnet first on October 27, 2021, called it EwDoor, noting it observed 5,700 compromised IP addresses located in the U.S. during a brief three-hour window.

"So far, the EwDoor in our view has undergone three versions of updates, and its main functions can be summarized into two main categories of DDoS attacks and backdoor," the researchers noted.

"Based on the attacked devices are telephone communication related, we presume that its main purpose is DDoS attacks, and gathering of sensitive information, such as call logs."

Propagating through a flaw in EdgeMarc devices, EwDoor supports a variety of features, including the ability to self-update, download files, obtain a reverse shell on the compromised machine, and execute arbitrary payloads.

EwDoor, besides gathering information about the infected system, also establishes communications with a remote command-and-control server, either directly or indirectly using BitTorrent Trackers to fetch the C2 server IP address, to await further commands issued by the attackers.

News URL

https://thehackernews.com/2021/12/new-ewdoor-botnet-targeting-unpatched.html

#at&t #botnet #edge