Thousands of AT&T Customers in the US Infected by New Data-Stealing Malware

Thousands of networking devices belonging to AT&T Internet subscribers in the US have been infected with newly discovered malware that allows the devices to be used in denial-of-service attacks and attacks on internal networks, researchers said on Tuesday.

The device model under attack is the EdgeMarc Enterprise Session Border Controller, an appliance used by small- to medium-sized enterprises to secure and manage phone calls, video conferencing, and similar real-time communications. As the bridge between enterprises and their ISPs, session border controllers have access to ample amounts of bandwidth and can access potentially sensitive information, making them ideal for distributed denial of service attacks and for harvesting data.

Researchers from Qihoo 360 in China said they recently spotted a previously unknown botnet and managed to infiltrate one of its command-and-control servers during a three-hour span before they lost access.

“However, during this brief observation, we confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US,” Qihoo 360 researchers Alex Turing and Hui Wang wrote.

They said they have detected more than 100,000 devices accessing the same TLS certificate used by the infected controllers, an indication that the pool of affected devices may be much bigger. “We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real,” they added.

The vulnerability being exploited to infect the devices is tracked as CVE-2017-6079, a command-injection flaw that penetration tester Spencer Davis reported in 2017 after using it to successfully hack a customer’s network.

  • (Score: 2) by MostCynical on Tuesday December 07, @12:40AM

    by MostCynical (2589) on Tuesday December 07, @12:40AM (#1202617) Journal

    they need to update their advertising

    ...enterprise SBC portfolio offers full-fledged service demarcation devices and protects your network against malicious attacks such as denial or service and toll fraud.

    Also, for non-network-tech people: difference between a firewall and a session border controller [2600hz.com]

    --
    "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex

  • (Score: 0) by Anonymous Coward on Tuesday December 07, @12:53AM

    by Anonymous Coward on Tuesday December 07, @12:53AM (#1202618)

    Somehow, somewhere, at some point, you will be fucked - AT&T guarantees.

