Thousands of AT&T Subscribers Infected With Data-Pilfering Malware, Researchers Say

Thousands of AT&T Subscribers Infected With Data-Pilfering Malware, Researchers Say
Photo: Justin Sullivan, Getty Images

Unpatched, years-old vulnerabilities in networking devices have allowed a noxious malware to infect thousands of AT&T customers in the U.S., a new report from a Chinese cybersecurity company claims. The malware basically functions as a backdoor, one that could allow an attacker to penetrate networks, steal data, and other unsavoury activity.

The unfortunate infections were recently uncovered by researchers with security firm Qihoo 360 after they infiltrated a previously unknown botnet and discovered that it had targeted at least 5,700 U.S.-based AT&T subscribers. (Botnets are networks of malware-infected devices that can be controlled by one centralised party; they are often used to conduct cyberattacks or engage in other, coordinated criminal activity.)

In this particular case, the malware in question appears to have seeped into users’ enterprise network edge devices via a bug that was originally discovered back in 2017. Edge devices, which help businesses connect their networks to ISPs (in this case, AT&T), are common targets for malware infection and cyberattacks.

The affected devices are EdgeMarc Enterprise Session Border Controllers, produced by Ribbon Communications (formerly named Edgewater), which are commonly used by smaller and mid-sized businesses to manage and secure internal communications — like voice and video-call.

The malware compromised these controllers via a bug, tracked as CVE-2017-6079, for which a patch was ostensibly issued way back in 2018, Ars Technica reports. However, if users never patched this security flaw, it would have left them open to a whole lot of trouble indeed.

Qihoo 360 researchers say that the malware in question apparently has the capability to enable DDoS attacks, port scanning, file management, and the execution of arbitrary commands — meaning, basically, that an attacker could have quite a field day with your network. Data theft and the disruption of services would all be up-for-grabs, hypothetically.

There is some question as to how many devices have actually been infected. Ars Technica, which initially reported on the research, notes that it’s “not clear if AT&T or EdgeMarc manufacturer Edgewater (now named Ribbon Communications) ever disclosed the vulnerability to users.” The overall size of the malware infection could be much larger than the 5,700-ish devices that the researchers initially observed.

“All 5.7k active victims that we saw during the short time window were all geographically located in the US,” the researchers write. However, they say the number of devices using the same TLS certificate is apparently about 100,000. “We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real,” they said.

When reached for comment, AT&T spokesperson Jim Greer provided Gizmodo with the following statement:

“We previously identified this issue, have taken steps to mitigate it and continue to investigate. We have no evidence that customer data was accessed.”

It wasn’t immediately clear what mitigating steps were possible, though, if you’re worried about this, it might be a good idea to head to the researchers’ page to look at the indicators of compromise. We also reached out to Ribbon Communications for comment and will update this story if they reply.