A newly came upon botnet in a position to staging distributed denial-of-service (DDoS) attacks targeted unpatched Ribbon Communications (prior to now Edgewater Networks) EdgeMarc house apparatus belonging to telecom provider provider AT&T by way of exploiting a four-year-old flaw throughout the neighborhood house apparatus.
Chinese language language tech huge Qihoo 360’s Netlab neighborhood protection division, which detected the botnet first on October 27, 2021, known as it EwDoor, noting it spotted 5,700 compromised IP addresses located throughout the U.S. in all places a temporary three-hour window.
“So far, the EwDoor in our view has handed via 3 permutations of updates, and its number one functions can also be summarized into two number one categories of DDoS attacks and backdoor,” the researchers well-known. “Based on the attacked devices are telephone verbal alternate related, we presume that its number one purpose is DDoS attacks, and accumulating of refined wisdom, related to call logs.”
Propagating by means of a flaw in EdgeMarc devices, EwDoor is helping a lot of choices, in conjunction with the power to self-update, download files, obtain a reverse shell on the compromised tool, and execute arbitrary payloads. The vulnerability in question is CVE-2017-6079 (CVSS ranking: 9.8), a command injection flaw affecting the session border controllers that can be weaponized to execute malicious directions.
EwDoor, besides accumulating information about the infected tool, moreover establishes communications with a distant command-and-control (C2) server, each immediately or indirectly the usage of BitTorrent Trackers to fetch the C2 server IP deal with, to sit up for further directions issued by way of the attackers.
When reached for a observation, AT&T discussed “We up to now identified this issue, have taken steps to mitigate it and continue to research,” and that “we have no evidence that purchaser data was accessed.”