AT&T is currently facing a modular malware called EwDoor on 5,700 VoIP servers that route traffic from enterprise customers to upstream mobile providers. Researchers from NetLab first discovered the botnet attacking Edgewater Networks devices and leveraging a vulnerability in the EdgeMarc Enterprise Session Border Controllers. The flaw is tracked as CVE-2017-6079. Attackers had accessed vulnerable servers and installed a modular malware strain, according to researchers. The flaw exploited is a hidden page in the EdgeMarc appliance that allows for user-defined commands.
An attacker could use the aforementioned page as a web shell to execute commands, however, the client-side of the web application is reportedly unaffected by the vulnerability. Netlab was able to identify the devices as belonging to AT&T. The telecommunications company was able to confirm the existence of the botnet. AT&T is reportedly taking steps to mitigate the botnet, and so far the company has not found any evidence that it has been weaponized or that customer data was accessed.
Read More: AT&T Takes Steps to Mitigate Botnet Found Inside Its Network