Contents ...
奇虎360 about AT&T data-stealing malware in 12/1/2021?
2024/05/05 21:16
5/9/2024 Does it happen to bank related investment company?
Today when i tried to make a copy then found Summary showed +$707.02 +0.06% different than details holding showed +$1,040.80 Up +0.08%.
i clicked Summary again it jump up a bit, clicked detail it lower down down to $611.27, 0.05% so i kept switch then both became same as +$1,040.80 Up +0.08%.
but clicked again both changed and different amount...
i cant but call, his answearing really made me shocked that what i saw the data is for 5/8/2024, not until after 12Am (ie 5/10) i can see today 5/9 data. and i want him to make sure after 12Am i still can see each mutual fund/stock daily closed unit price, up/down value and increased/decreased % plus total investment amount increase/decrese with percentage. And I would wait till after 12am make the copy if it not what he told
me i would call back. he told me i can call till 6am(pm ?).
in the past it happened and was told better make copy after 7pm. now became after 12am. in the past after 12am cant see daily unit price, up or down value with percentage and total amount up or down value with percetage because all reset to 0.
ps must make copy before 8am (central time) or cant verify the close unit price by on line search if suspect.
Thousands of AT&T customers in the US infected by new data-stealing malware
Malware exploits 2017 vulnerability in a widely used network edge device. Dan Goodin -12/1/2021, 7:24 AM

Thousands of networking devices belonging to AT&T Internet subscribers in the US have been infected with newly discovered malware that allows the devices to be used in denial-of-service attacks and attacks on internal networks, researchers said on Tuesday.

The device model under attack is the EdgeMarc Enterprise Session Border Controller, an appliance used by small- to medium-sized enterprises to secure and manage phone calls, video conferencing, and similar real-time communications. As the bridge between enterprises and their ISPs, session border controllers have access to ample amounts of bandwidth and can access potentially sensitive information, making them ideal for distributed denial of service attacks and for harvesting data.

Researchers from Qihoo 360 in China said they recently spotted a previously unknown botnet and managed to infiltrate one of its command-and-control servers during a three-hour span before they lost access.

“However, during this brief observation, we confirmed that the attacked devices were
EdgeMarc Enterprise Session Border Controller
, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US,”Qihoo 360 researchers Alex Turing and Hui Wang wrote.

They said they have detected more than 100,000 devices accessing the same TLS certificate used by the infected controllers, an indication that the pool of affected devices may be much bigger. “We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real,” they added.
Default credentials strike again

The vulnerability being exploited to infect the devices is tracked as CVE-2017-6079, a command-injection flaw that penetration tester Spencer Davis reported in 2017 after using it to successfully hack a customer’s network. The vulnerability stemmed from an account in the device that, as Davis learned from this document, had the username and password of “root” and “default.”

Because the vulnerability gives people the ability to remotely gain unfettered root access, its severity rating carried a 9.8 out of a possible 10. A year after the vulnerability came to light, exploit code became available online.

But it’s not clear if AT&T or EdgeMarc manufacturer Edgewater (now named Ribbon Communications) ever disclosed the vulnerability to users. A document available by FTP here, shows the vulnerability was fixed in December, 2018, more than 19 months after Spencer disclose it. It appears the patch required manual updates, a process that can be tedious.

An AT&T spokesman said: “We previously identified this issue, have taken steps to mitigate it and continue to investigate. We have no evidence that customer data was accessed.” He didn’t elaborate on when AT&T identified the threats, what the mitigation steps are, whether they were successful, or if the company could rule out data access. The spokesman didn’t respond to a follow-up email.

Qihoo 360 is calling the malware EWDoor, a play on it being a backdoor affecting Edgewater devices. Functions supported by the malware include:

Self updating Port scanning File management DDoS attack
Reverse shell Execution of arbitrary commands

The basic logic of the backdoor is depicted below:
To protect the malware against reverse engineering by researchers or competitors, the developers added several safeguards, including:
Use of TLS encryption at the network level to prevent communication from being intercepted
Encryption of sensitive resources to make it more difficult to reverse
Moving the command server to the cloud that works with a BT tracker to obscure activity
Modification of the "ABIFLAGS" PHT in executable file to counter qemu-user and some high kernel versions of the linux sandbox. “This is a relatively rare countermeasure, which shows that the author of EwDoor is very familiar with the Linux kernel, QEMU, and Edgewater devices,” the researchers said.

Anyone using one of the affected models should visit Tuesday’s post to obtain indicators of compromise that will show if their device is infected. Readers who find evidence their device has been hacked: Please email me or contact me at +1650-440-4479 by Signal. This post will be updated if additional information becomes available.
Post updated to report FTP document indicating the vulnerability was fixed by December 2018.

ps i did baidu search "奇虎360 in 2015", "Researchers from Qihoo 360 in China:2015 EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims" but failed, and i suspect ATT maynot fixed the serious problem. got it by search "Qihoo 360 in 2015 AT&T EdgeMarc Enterprise Session Border Controller"

新型僵尸网络EwDoor来袭,AT&T客户5700台设备受感染 作者:Chenoa 2021-12-01 15:16:32
基于被攻击设备与电话通信相关,研究人员推测EwDoor主要目的是 DDoS 攻击,以及收集通话记录等敏感信息。近期,奇虎360 Netlab研究人员发现一个新的僵尸网络—— EwDoor,该僵尸网络利用四年前的一个严重漏洞(编号CVE-2017-6079),针对未打补丁的AT&T客户发起猛烈攻击,仅三个小时,就导致将近6000台设备受损。
ps 四年前, could it be 2015-2017 even earlier ? our ATT internet kept breaking down cant but switch to wow Jan,2017 and because not att client so ATT didnt email data breach alert to us? spouse was very upset because whenever broke down he told them its definitely not our modem/router/indoors wire problems, later they sent tech. examined proved spouse was right. and still whenever called...

what about other companies who we even not know companies names such as monitor firefox report: DaniWeb 2015 11/30/2015(11/30/2015 Email 1 IP Address 1 Password 1), ClearVoice Surveys 8/22/2015(Email DOB 1 IP Address 1 Password 1 Phone number 1), Gravatar(10/2/2020 Email 1), DriveSure(12/18/2020), iMenu360( 8/10/2022) And malwarebyte report: Trikbot Spam 2019, Andersen Corporation 2023, ....we never received data breach alert emails?

ps malwarebyte report 4 companies(1 email DOB phone address city postal_code ; 1 Combo list Sensitive Source password email in 2020; 1password email; 1 email address postal_code ) not post their names as Data Breach Sensitive Source *
info : Some sources are marked "sensitive" if they may reveal and compromise an on-going investigation or if the affected site is of a controversial nature or may impact an employees reputation
info: Combo list Sensitive Source This is information from various breaches aggregated by criminals to re-sell/leak it.

I don’t recognize the data in my report. What does that mean?
The Digital Footprint scans for exposed information related to the submitted email address – which means a third party has linked the information to the email.

--can it be possible DaniWeb, ClearVoice Surveys, Gravatar... are third party of ATT or else ?

“2021年10月27日,我们的 Botmon 系统发现攻击者通过 CVE-2017-6079 攻击 Edgewater Networks 的设备,在其有效载荷中使用相对独特的挂载文件系统命令,这引起了我们的注意,经过分析,我们确认这是一个全新的僵尸网络,基于它针对 Edgewater 生产商及其后门功能,我们将其命名为 EwDoor,。” 奇虎360发布报告分析。
EdgeMarc 设备支持高容量 VoIP 和数据环境,弥补了运营服务提供商在企业网络服务上的缺陷。但同时,这也要求设备需公开暴露在 Internet 上,无可避免地增加了其受远程攻击的风险。
研究人员通过注册其备份命令和控制 (C2) 域,监控从受感染设备发出的请求,以确定僵尸网络的规模。不幸的是,在遇到主 C2 网络故障后,EwDoor 重新配置了其通信模型。
在短短三小时内,研究人员发现受感染的系统是 AT&T 使用的EdgeMarc Enterprise Session Border Controller。并且专家已经确定了位于美国的5700台受感染设备(IP)。
“通过回查这些设备使用的 SSl 证书,我们发现大约有 10 万个 IP 使用相同的 SSl 证书。我们不确定与这些 IP 对应的设备有多少可能被感染,但我们可以推测,由于它们属于同一类设备,因此可能的影响是真实的。”

EwDoor主要目的是 DDoS 攻击
研究发现,EwDoor已经经历了3个版本的更新,其主要功能可以概括为DDoS攻击和Backdoor两大类。基于被攻击设备与电话通信相关,研究人员推测EwDoor主要目的是 DDoS 攻击,以及收集通话记录等敏感信息。

自我更新 端口扫描 文件管理 DDoS 攻击 反壳 执行任意命令
EwDoor 僵尸网络 (360 Netlab)


专家还在报告中提供了有关 EwDoor 僵尸网络的其他技术细节,并分享了针对此威胁的入侵指标 (IOC)。责任编辑:赵宁宁 来源: FreeBuf
--if usa masters are responsible type then should team work with China. but honest China 奇虎360 Netlab研究人员 pointed out "它针对 Edgewater 生产商及其后门功能,我们将其命名为 EwDoor" which exposed ATT bought usa euips with 后门功能 irritate masters.
so wont fix deadly problem but black China to cover 后门功能 and caused more usa victims personal data exposed in dark web which point to ATT.

ps 山西省通信管理局 国家计算机网络应急技术处理协调中心山西分中心 2020 年 9 月 29 日
关于 Oracle Enterprise Session Border Controller 存在未明漏洞的安全公告
近日,国家信息安全漏洞共享平台(CNVD)收录了 Oracle Enterprise Session Border Controller 存在未明漏洞(CNVD-2020-54682)。攻击者可利用该漏洞未授权读取、更新、插入或删除数据,造成拒绝服务(挂起或频繁崩溃),影响数据的可用性、保密性和完整性。
Oracle Enterprise Session Border Controller (E-SBC)可连接不同的 Internet 协议(IP)通信网络,同时可缓解安全威胁、解决互操作性问题并确保可靠的通信。
Oracle Enterprise Session Border Controller 8.1.0、8.2.0、8.3.0 中的 File Upload 组件存在安全漏洞。攻击者可利用该漏洞未授权读取、更新、插入或删除数据,造成拒绝服务(挂起或频繁崩溃) ,影响数据的可用性、保密性和完整性。
CNVD 对该漏洞的综合评级为“高危”。
Oracle Oracle Enterprise Session Border Controller 8.1.0
Oracle Oracle Enterprise Session Border Controller 8.2.0
Oracle Oracle Enterprise Session Border Controller 8.3.0

--in file explorer i searched "Oracle" got 19 file folders with oracle-related, 11 files(x.dll), 8 E logo files(*.XML) my question is i dont have oracle app not sure whether file explorer showing so many oracle related can be deleted. most showed 3/8 3/9 4/9/2024 modified, some 6/24/2022, 12/3, 12/7/2019 modified. Especially one file folder shows: wow64_system....3/9/2024 modified; the company already sold to Astound.

very strange suddenly showed up many manifest files from 11files(x.dll) jump up to 44 files; and 8(*.XML) jump up to 14 files. except writting blog didnt do anything else. some are duplicated. i would say MS updated didnt deleted previous version completely.