EWDoor malware infected the networking equipment of AT&T, which protects and manages communications of the mobile carrier.
The said AT&T malware affected more than 5,700 subscibers.
EWDoor Malware Affects AT&T Subscribers
Chinese cybersecurity company, Qihoo 360, found out that thousands of networking equipment belonging to AT&T subscribers in the United States have been compromised with newly acquired malware, per Ars Technica.
Gizmodo reported that the AT&T malware acts as a backdoor, allowing an attacker to get into networks, steal data and engage in other activities.
Moreover, the said attacked device is named EdgeMarc Enterprise Session Border Controller. This tool is used by small and medium companies to protect and manage phone calls, video conferencing and other real-time communications.
In addition to this, session border controllers, the link connecting businesses and their Internet service providers, have access to a wide range of bandwidth and may obtain sensitive personal information, making it perfect for distributed denial of service (DDoS) attacks and data gathering.
Since the AT&T malware acts as a backdoor, it was named EWDoor by Qihoo 360, which is a word play of the "backdoor," referring to the fact that it affects Edgewater devices.
In addition to this, EWDoor malware can update on its own, do port scanning, organize files, DDoS attack, reverse shell, and unprecedented command execution.
For those who do not know what DDoS is, Kaspersky stated that it is a method of attack that takes advantage of internet resource capacity limitations.
The DDoS attack will make several demands towards the targeted online resource. Aside from this, it also aims to surpass the website's capabilities, accommodate numerous request and prevent it from working properly.
On the other hand, Qihoo 360 researchers identified the EWDoor malware after infiltrating a previously undisclosed botnet, revealing that it had affected at least 5,700 AT&T subscribers in the United States.
They also claimed to have discovered more than 100,000 devices using the same TLS certificate as the compromised devices, indicating that the total number of devices infected may be substantially larger.
TLS certificates are used to safeguard the users' data when it is being transferred, as well as to validate the website's company identification to guarantee that customers are communicating with real website owners, per Digicert.
How to Detect EwDoor Malware?
Since Qihoo 360 has identified the EWDoor malware, AT&T spokesperson Jim Greer provided a statement through Gizmodo.
In the said statement, Greer stated that they previously identified the said attack, took efforts to address it, and they are still looking into it.
Moreover, the spokesperson clarified that their evidence states that customer data were not accessed.
Furthermore, the creators incorporated numerous precautions to the malware to shield it from reverse engineering by researchers or its rivals.
Some of the said precautions includes the use of TLS encryption at the network level to avoid communication from being captured as well as encrypting the sensitive resources to make it more difficult to reverse.
However, if ever you want to know more about EWDoor, you should head to the researchers' page here.