According to a new analysis from a Chinese cybersecurity firm, unpatched, years-old vulnerabilities in networking gear allowed a virulent malware to infect thousands of AT&T users in the United States.
The malware acts as a backdoor, allowing an attacker to break into networks, steal data, and engage in other nefarious activities.
Researchers from security firm Qihoo 360 recently found the infections after infiltrating a previously undisclosed botnet and discovering that it had targeted at least 5,700 AT&T subscribers in the United States. (Botnets are malware-infected device networks that may be managed by a single entity; they’re frequently used to carry out cyberattacks or other coordinated criminal behaviour.)
In this example, the malware appears to have infiltrated customers’ workplace network edge devices using a weakness disclosed in 2017. Malware infection and cyberattacks are regular targets for edge devices, which allow organisations connect their networks to ISPs (in this case, AT&T).
The impacted devices are Ribbon Communications’ (previously known as Edgewater) EdgeMarc Enterprise Session Border Controllers, which are extensively used by small and mid-sized enterprises to manage and protect internal communications such as audio and video calls.
The malware infiltrated these devices through a weakness identified as CVE-2017-6079, for which a fix was reportedly released in 2018, according to Ars Technica. Users, on the other hand, would have been in a lot of trouble if they had not rectified this security weakness.
According to Qihoo 360 experts, the malware in issue is capable of enabling DDoS attacks, port scanning, file management, and the execution of arbitrary commands—basically, an attacker could have a field day with your network.
Theft of data and service disruptions would theoretically be available for the taking.
How many devices have actually been infected is a subject of debate. “It’s not clear if AT&T or EdgeMarc manufacturer Edgewater (now dubbed Ribbon Communications) ever disclosed the vulnerability to users,” according to Ars Technica, which first reported on the findings. The overall extent of the malware outbreak could be far greater than the researchers’ first estimate of 5,700 devices.
The researchers add, “All 5.7k active victims that we saw during the short time window were all geographically located in the United States.” However, they estimate that around 100,000 devices are utilising the same TLS certificate.
“We do not even know how many devices connected with all these IPs could be infected,” they stated, “but we can speculate that just because they belong to the same class of devices, the potential impact is real.”
When contacted for comment, AT&T spokesperson Jim Greer issued the following statement to Gizmodo:
“We previously identified this issue, have taken steps to mitigate it and continue to investigate. We have no evidence that customer data was accessed.”
It wasn’t immediately clear what mitigation measures were available, but if you’re concerned, you should visit the researchers’ page and look at the indicators of exposure.