AT&T takes action against DDoS botnet that hijacked VoIP servers

jtowner@townerkc.com Blog DDoS

DDoS Attacts

***Originally posted on Malware Catalin Cimpanu

AT&T said it’s investigating and has “taken steps to mitigate” a botnet that infected more than 5,700 VoIP servers located inside its network, a spokesperson has told The Record earlier today in DDoS attack.

All the infected devices were EdgeMarc Enterprise Session Border Controllers, a type of Voice-over-IP server designed to balance and reroute internet telephony traffic from smaller enterprise customers to upstream mobile providers.

According to Netlab, a network security division of Chinese tech giant Qihoo 360, a threat actor used an old exploit (CVE-2017-6079) to hack into unpatched EdgeMarc servers and install a modular malware strain named EwDoor.

“[W]e confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw […] were all geographically located in the US.”

Netlab EwDoor report

AT&T says it saw no evidence of data theft

The Chinese security firm said it’s been tracking the EwDoor botnet and its attacks since late October 2021, during which time the malware went through at least three versions.

An analysis of the malware revealed extensive backdoor and DDoS capabilities, which Netlab researchers suggested could be used to access devices to gather and steal sensitive information, such as VoIP call logs.

But AT&T says it has not seen any evidence to sustain Netlab’s assessment.

“We have no evidence that customer data was accessed,” the company said in an email earlier today.

DDoS ATT

Netlab said that the 5,700 estimate it provided today was gathered following a brief window of visibility into the botnet’s operations on November 8.

Internet-wide scans suggest that more than 100,000 devices are using the same SSL certificate used on EdgeMarc VoIP servers, but it’s unclear how many of these are vulnerable to CVE-2017-6079 and exposed to attacks.

Wanna get nerdy with us? Sign up for our emails!

November 17 2021

Lumen finds a third of the largest DDoS attack in Q3 targeted telecoms

jtowner@townerkc.com Blog cyber security, DDoS

DDoS

***Original post by Diana Goovaerts

Telecom sector prime target for complex DDoS attacks, warns Lumen Technologies’ cybersecurity report.

In its third Quarterly DDoS Report, Lumen revealed that 34% of the 500 largest DDoS attacks in Q3 took aim at the telecommunications sector. That figure compared to 9% of attacks in Q1 and 32% in Q2.

All told, the telecommunications industry faced 956 incidents in Q3, including both the largest bandwidth attack (612 Gbps) and the largest packet-based attack (252 Mpps) overall across all the segments Lumen tracked. The bandwidth attack marked a 49% increase from the largest seen in Q2, while the packet-rate attack was a whopping 91% bigger than the largest in the previous quarter. Just over half (52%) of attacks against telecommunications companies used a multi-vector approach and the longest incident lasted 6 days.

Mark Dehus, Lumen’s director of information security and threat intelligence, told Fierce there’s been an uptick in attacks on voice-over-IP services using a combination of different methods. The two most common are reflection and application specific attacks, he said.

In the former, an instigator sends a request to a server, prompting it to respond to and overwhelm the targeted IP address with a large amount of traffic. Application specific attacks, meanwhile, go after the specific protocols – like the Session Initiation Protocol (SIP) – that enable voice services and remote collaboration tools. Examples of entities and services which use SIP include mobile virtual network operators, which sometimes use SIP-enabled VoIP services to offload cellular traffic to their own networks; managed voice infrastructure and the operators that supply it; and video conferencing services, he said.

Dehus noted reflection attacks don’t necessarily require a lot of skill, meaning “actors that are not as sophisticated can launch” them and demand money either in advance of or during the incident to halt the attack. He added threat actors are increasingly using multi-vector attacks to amplify their impact and bypass the protective countermeasures companies might take.

Lumen is working to track misconfigured reflectors and what services are being abused in an effort to try to help prevent future attacks, Dehus said. “The more the telecom industry in general can do to help clean up these open reflectors, the more it will take away from the malicious actors in terms of their ability to launch extremely impactful DDoS attacks,” he added.