Thousands of AT&T Customers in the US Infected by New Data-stealing Malware

Thousands of networking devices belonging to AT&T Internet subscribers in the US have been infected with newly discovered malware that allows the devices to be used in denial-of-service attacks and attacks on internal networks, researchers said on Tuesday. From a report: The device model under attack is the EdgeMarc Enterprise Session Border Controller, an appliance used by small- to medium-sized enterprises to secure and manage phone calls, video conferencing, and similar real-time communications. As the bridge between enterprises and their ISPs, session border controllers have access to ample amounts of bandwidth and can access potentially sensitive information, making them ideal for distributed denial of service attacks and for harvesting data.

Researchers from Qihoo 360 in China said they recently spotted a previously unknown botnet and managed to infiltrate one of its command-and-control servers during a three-hour span before they lost access. "However, during this brief observation, we confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US," Qihoo 360 researchers Alex Turing and Hui Wang wrote. They said they have detected more than 100,000 devices accessing the same TLS certificate used by the infected controllers, an indication that the pool of affected devices may be much bigger. "We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real," they added.

Of course they did...

[houstonbofh]

This continues to happen because remediation is cheaper then compliance for these large companies. As soon as that changes, they will do compliance.

Re: Of course they did...

[e3m4n]

According to TFA they exploited a default password. However, for at least the last 3 years their firmware requires you to change the password the minute you login the first time to configure the device. Min 8 characters, must include capitals, lowercase, numbers, and symbols. You can also establish an ACL for approved subnets so that you dont have to worry about dictionary attacks as well as enabling session management disabling the username root. Anyone running firmware > 15.0 should not be affected.

Re:

[campuscodi]

Chill dude! It's just the internet. Relax.

Re:

[Pascoea]

Don't feed the trolls.

edgemarc

[MONSTER_RANCHER]

This was a very nice device for self hosted voip back in the day, you could setup the edgemarc as a sbc and have it do all the work connecting to the voip providers sip and just connect your local freepbx, 3cx etc to the edgemarc. made it very easy to change providers as you just reconfigure the edgemarc and change nothing on your voip servers. You could put an edgerouter in front of it or not, I guess the people that did use an edgerouter ended up better off in the long run.

AT&T is also infected by assholes

[Tablizer]

they pulled Wells Fargo-like tricks on us: ghost charges for multiple services we didn't ask for, and dragged their feet on correcting their billing mistakes. They should be Federally investigated.