By exploiting a four-year-old fault in the network appliances, a newly found botnet capable of mounting distributed denial-of-service (DDoS) assaults targeted unpatched Ribbon Communications EdgeMarc appliances belonging to telecom service provider AT&T. The botnet was named EwDoor by Chinese tech giant Qihoo 360’s Netlab network security branch, which discovered it initially on October 27, 2021. It noticed 5,700 compromised IP addresses in the United States during a brief three-hour window.
In our opinion, the EwDoor has gone through three versions of updates so far, and its major functions may be divided into two categories: DDoS attacks and backdoor. We assume that the main goal of the attack is DDoS attacks and the collection of sensitive information, such as call records, because the attacked equipment are telephone communication related. EwDoor spreads by exploiting a weakness in EdgeMarc devices, allowing it to self-update, download files, gain a reverse shell on the infected PC, and execute arbitrary payloads, among other things.
The issue in question is CVE-2017-6079, a command injection flaw that affects session border controllers and can be used to execute malicious operations. EwDoor, in addition to gathering information on the infected machine, communicates with a remote command-and-control (C2) server, either directly or indirectly using BitTorrent Trackers to obtain the C2 server IP address, to await further commands from the attackers.
When contacted for response, AT&T stated, “We previously detected this vulnerability, have taken efforts to mitigate it, and are continuing to investigate,” adding that “we have no indication that customer data was accessed.”