AT&T Under Bot Attack
Share this:
Unpatched, old vulnerabilities in networking devices have allowed a noxious malware to infect thousands of AT&T customers in the U.S. The malware basically functions as a backdoor, one that could allow an attacker to penetrate networks, steal data, and other unsavory activity targeted at least 5,700 U.S. based AT&T subscribers.
The malware appears to have seeped into users’ enterprise network edge devices via a bug that was originally discovered back in 2017. Edge devices, which help businesses connect their networks to ISPs, are common targets for malware infection and cyberattacks.
The affected devices are EdgeMarc Enterprise Session Border Controllers, produced by Ribbon Communications (formerly named Edgewater), which are commonly used by smaller and mid-sized businesses to manage and secure internal communications like voice and video-call.
The malware compromised these controllers via a bug, tracked as CVE-2017-6079, for which a patch was ostensibly issued way back in 2018.
The malware in question apparently has the capability to enable DDoS attacks, port scanning, file management, and the execution of arbitrary commands meaning, basically, that an attacker could have quite a field day with your network. Data theft and the disruption of services.
All 5.7k active victims that we saw during the short time window were all geographically located in the US. The number of devices using the same TLS certificate is apparently about 100,000.
Indicators of Compromise
C2C
- 185.10.68.20
- rtmxvd.iunno.se
- ekgmua.zapto.org
- boatreviews.xpresit.net
- a.rtmxvdio.net
- a.hatbowlu3hf.ru
- a.hatbowlrtx.su
- 45.141.157.217
- rtmxvd.iunno.se
- hhqnyy.zapto.org
- besthatsite.mooo.com
- b.rtmxvdio.net
- b.hatbowlu3hf.ru
- b.hatbowlrtx.su
- port: 53, 443,13433
MD5 Hashes
- 007c28d9a0ccfb10c478689fd63e0de0
- 128331f1c808ee385375dd54d0609ebc
- 46c18a8e93a863053952985a39bd7d63
- 4f0841ac08a27d8b3d56cbd03fb68ad8
- 5c4390e1668856cc7f72499a72f935d6
- 62bc8899a353921ac685cabb63de97b3
- 67ccb3cf1f4f57f5a0ded4d20bc91d73
- 7d4937e27d0fd75dd6159ffe53ebb505
- 84b3df62ed45bea57d0dd85e80f0dc07
- 8794d23cad330de803294a2a1adb128b
- abaed830fe09e92ee434236d3db01e08
- b81ade4f18c2df58adef301f401e8a02
- ca6eb890853434ab9a0f8cdbab0965ea
- ddf96434bdb7b449ddcc925e6a5b3095
- eef0035f971622cc5f48e164ca28a95f
- fbbacfb20e487265c7fdb30817717f26
Reblogged this on muunyayo and commented:
Indicators of Compromise
C2C
185.10.68.20
rtmxvd.iunno.se
ekgmua.zapto.org
boatreviews.xpresit.net
a.rtmxvdio.net
a.hatbowlu3hf.ru
a.hatbowlrtx.su
45.141.157.217
rtmxvd.iunno.se
hhqnyy.zapto.org
besthatsite.mooo.com
b.rtmxvdio.net
b.hatbowlu3hf.ru
b.hatbowlrtx.su
port: 53, 443,13433
MD5 Hashes
007c28d9a0ccfb10c478689fd63e0de0
128331f1c808ee385375dd54d0609ebc
46c18a8e93a863053952985a39bd7d63
4f0841ac08a27d8b3d56cbd03fb68ad8
5c4390e1668856cc7f72499a72f935d6
62bc8899a353921ac685cabb63de97b3
67ccb3cf1f4f57f5a0ded4d20bc91d73
7d4937e27d0fd75dd6159ffe53ebb505
84b3df62ed45bea57d0dd85e80f0dc07
8794d23cad330de803294a2a1adb128b
abaed830fe09e92ee434236d3db01e08
b81ade4f18c2df58adef301f401e8a02
ca6eb890853434ab9a0f8cdbab0965ea
ddf96434bdb7b449ddcc925e6a5b3095
eef0035f971622cc5f48e164ca28a95f
fbbacfb20e487265c7fdb30817717f26