Posted on December 14, 2021 at 5:44 PM
Up to 100,000 VoIP Servers Compromised By ewDoor botnet, Researchers Report
NetLab researchers have discovered a vulnerability on AT&T devices that allowed hackers to plant malware strain that affects 5,700 VoIP servers.
According to the report, the malware, named ewDoor botnet, targets Edgewater network devices as the hackers exploited an unpatched bug on EdgeMarc servers to plant the malware.
The researchers stated that they discovered the botnet in October 2021 and have been tracking it since then. They also stated that the botnet specifically targets victims based in the United States.
The Botnet Used A C2 Redundancy Strategy
The botnet exploited a vulnerability in a hidden EdgeMarc page that enables the users to set custom commands. The threat actors then use the page as a webshell to execute arbitrary commands, although the frontend was not impacted by the vulnerability.
In addition, the researchers stated that the botnet utilized a C2 redundancy strategy by downloading command-and-control server endpoints via a BT tracker.
Before delivering its reports on the device information and executing related commands, the botnet decrypts the tracker to obtain C2 servers.
In addition, the botnet deploys TLS encryption to stay under the radar and avoid being detected by security researchers. It also tries to circumvent security protocols and avoid any interceptions of its traffic, which would allow researchers to identify its characteristics.
The NetLab researchers have also published file hashes and a list of compromise indicators to help other companies and security firms easily detect potential compromise.
The researchers also noted that the botnet’s aim is the execution of distributed denial of service (DDoS) attacks and stealing vital information from already compromised VoIP servers.
AT&T Says The Vulnerability Was Not Weaponized
The main purpose of the EwDoor botnet remains backdoor functionality and DDoS attacks, although it has gone through several updates since it was developed. The latest version now includes other functions such as reverse shell, file management, port scanning, and self-updating mechanisms, according to the researchers.
AT&T responded to the research findings by acknowledging the vulnerability, adding that it’s tang steps to mitigate the risks facing internet-exposed VoIP servers. According to the company, the vulnerability and eventual exploitation did not have any impact on customer data as none was accessed. The telecom giant also noted that the vulnerability has not been weaponized and no attack has been recorded.
However, Chief Solutions Officer for AppViewX, Murali Palanisamy, did not share in the company’s safety assurances.
He stated that there should be concerns that internet-wide scans show that over 100,000 devices are utilizing the same SSL certificate used on EdgeMarc VoIP servers. However, Palanisamy added that it’s encouraging to see that AT&T is seriously looking into the situation that has impacted more than 5,700 VoIP servers in its network.
The vulnerability, according to the researchers, has been in the server for almost four years, but patches were released 18 months later, according to Casey Ellis, founder and Chief Executive Officer of Bugcrowd.
More VoIP Servers Could Be Exploited
NetLab researchers admitted that they only looked into the requests made by affected VoIP servers before the botnet moved to a different C2 server. The compromised VoIP servers were detected and reported in under 3 hours. But they noted that more devices could be affected. After an extensive internet scan, it was revealed that over 100,000 VoIP servers utilizing the same SSL certificate on EdgeMarc VoIP servers are at risk of exploitation.
The researchers added that they are not sure how many devices having these IPs could be affected due to the vulnerability. But on speculation, the possible impact is real since they belong to the same class of devices.
He stated that the reuse of SSL shows that the default certificate is copied along with the application, which has the whole extended family utilizing the same passport.
The devices use an SSL certificate, which is used to validate the connecting device and whether they are connecting to the right system. The certificates expose the devices to Application Layer Protocols, which allows Cross-Protocol Attacks, Palanisamy added.
He suggested that it’s important for the company to try and secure not only the 5,700 devices but thousands of other devices that could be compromised as well.
He also advised that AT&T should reimage and secure the thousands of devices since the company is not sure about their safety status.