April 2, 2023

Unpatched, old vulnerabilities in networking devices have allowed a noxious malware to infect thousands of AT&T customers in the U.S. The malware basically functions as a backdoor, one that could allow an attacker to penetrate networks, steal data, and other unsavory activity targeted at least 5,700 U.S. based AT&T subscribers.

The malware appears to have seeped into users’ enterprise network edge devices via a bug that was originally discovered back in 2017. Edge devices, which help businesses connect their networks to ISPs, are common targets for malware infection and cyberattacks.

Advertisements

The affected devices are EdgeMarc Enterprise Session Border Controllers, produced by Ribbon Communications (formerly named Edgewater), which are commonly used by smaller and mid-sized businesses to manage and secure internal communications like voice and video-call.

The malware compromised these controllers via a bug, tracked as CVE-2017-6079, for which a patch was ostensibly issued way back in 2018.

The malware in question apparently has the capability to enable DDoS attacks, port scanning, file management, and the execution of arbitrary commands meaning, basically, that an attacker could have quite a field day with your network. Data theft and the disruption of services.

Advertisements

All 5.7k active victims that we saw during the short time window were all geographically located in the US. The number of devices using the same TLS certificate is apparently about 100,000.

Indicators of Compromise

C2C

  • 185.10.68.20
  • rtmxvd.iunno.se
  • ekgmua.zapto.org
  • boatreviews.xpresit.net
  • a.rtmxvdio.net
  • a.hatbowlu3hf.ru
  • a.hatbowlrtx.su
  • 45.141.157.217
  • rtmxvd.iunno.se
  • hhqnyy.zapto.org
  • besthatsite.mooo.com
  • b.rtmxvdio.net
  • b.hatbowlu3hf.ru
  • b.hatbowlrtx.su
  • port: 53, 443,13433

MD5 Hashes

  • 007c28d9a0ccfb10c478689fd63e0de0
  • 128331f1c808ee385375dd54d0609ebc
  • 46c18a8e93a863053952985a39bd7d63
  • 4f0841ac08a27d8b3d56cbd03fb68ad8
  • 5c4390e1668856cc7f72499a72f935d6
  • 62bc8899a353921ac685cabb63de97b3
  • 67ccb3cf1f4f57f5a0ded4d20bc91d73
  • 7d4937e27d0fd75dd6159ffe53ebb505
  • 84b3df62ed45bea57d0dd85e80f0dc07
  • 8794d23cad330de803294a2a1adb128b
  • abaed830fe09e92ee434236d3db01e08
  • b81ade4f18c2df58adef301f401e8a02
  • ca6eb890853434ab9a0f8cdbab0965ea
  • ddf96434bdb7b449ddcc925e6a5b3095
  • eef0035f971622cc5f48e164ca28a95f
  • fbbacfb20e487265c7fdb30817717f26

1 thought on “AT&T Under Bot Attack

  1. Reblogged this on muunyayo and commented:
    Indicators of Compromise
    C2C

    185.10.68.20
    rtmxvd.iunno.se
    ekgmua.zapto.org
    boatreviews.xpresit.net
    a.rtmxvdio.net
    a.hatbowlu3hf.ru
    a.hatbowlrtx.su
    45.141.157.217
    rtmxvd.iunno.se
    hhqnyy.zapto.org
    besthatsite.mooo.com
    b.rtmxvdio.net
    b.hatbowlu3hf.ru
    b.hatbowlrtx.su
    port: 53, 443,13433
    MD5 Hashes

    007c28d9a0ccfb10c478689fd63e0de0
    128331f1c808ee385375dd54d0609ebc
    46c18a8e93a863053952985a39bd7d63
    4f0841ac08a27d8b3d56cbd03fb68ad8
    5c4390e1668856cc7f72499a72f935d6
    62bc8899a353921ac685cabb63de97b3
    67ccb3cf1f4f57f5a0ded4d20bc91d73
    7d4937e27d0fd75dd6159ffe53ebb505
    84b3df62ed45bea57d0dd85e80f0dc07
    8794d23cad330de803294a2a1adb128b
    abaed830fe09e92ee434236d3db01e08
    b81ade4f18c2df58adef301f401e8a02
    ca6eb890853434ab9a0f8cdbab0965ea
    ddf96434bdb7b449ddcc925e6a5b3095
    eef0035f971622cc5f48e164ca28a95f
    fbbacfb20e487265c7fdb30817717f26

Leave a Reply

%d bloggers like this: