Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

EwDoor Botnet Targets AT&T Network Edge Devices at US Firms

EwDoor Botnet Targets AT&T Network Edge Devices at US Firms

A recently discovered botnet is attacking unpatched AT&T enterprise network edge devices using exploits for a four-year-old critical severity Blind Command Injection security flaw.

The botnet, dubbed EwDoor by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab), targets AT&T customers using EdgeMarc Enterprise Session Border Controller (ESBC) edge devices.

EdgeMarc appliances support high-capacity VoIP and data environments, bridging the gap between enterprise networks and their service providers, in this case, the AT&T carrier.

However, this also requires the devices to be publicly exposed to the Internet, increasing their exposure to remote attacks.

360 Netlab spotted the botnet on October 27 when the first attacks targeting Internet-exposed Edgewater Networks’ devices unpatched against the critical CVE-2017-6079 vulnerability started.

Also Read: MAS Technology Risk Management Guidelines

Almost 6,000 compromised devices spotted in three hours

The researchers were able to take a quick look at the botnet’s size by registering one of its backup command-and-control (C2) domains and monitoring the requests made from infected devices.

During the three hours they had before the botnet’s operators switched to a different C2 network communication model, 360 Netlab could spot roughly 5,700 infected devices.

“We confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US,” the researchers said in a report published today.

“By back-checking the SSl certificates used by these devices, we found that there were about 100k IPs using the same SSl certificate. We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real.”

Our latest blog is about EwDoor Botnet, all its infected devices are located in US, we saw around 6k compromised ips in a short 3 hours time window— 360 Netlab (@360Netlab) November 30, 2021

Backdoor with DDoS attack capabilities

After analyzing the versions captured since they discovered EwDoor, 360 Netlab says the botnet is likely used to launch distributed denial-of-service (DDoS) attacks and as a backdoor to gain access to the targets’ networks.

Also Read: How PII Data Works In Businesses And Its Advantages

It currently has six major features: self-updating, port scanning, file management, DDoS attack, reverse shell, and execution of arbitrary commands on compromised servers.

“So far, the EwDoor in our view has undergone 3 versions of updates, and its main functions can be summarized into 2 main categories of DDoS attacks and Backdoor,” 360 Netlab added.

“Based on the attacked devices are telephone communication related, we presume that its main purpose is DDoS attacks, and gathering of sensitive information, such as call logs.”

EwDoor botnet
EwDoor botnet (360 Netlab)

EwDoor uses TLS encryption to block network traffic interception attempts and encrypts resources to block malware analysis.

Additional technical details on the EwDoor botnet and indicators of compromise (IOCs), including C2 domains and malware sample hashes, can be found in 360 Netlab’s report.

Update: An AT&T spokesperson told BleepingComputer that the company found no evidence of customers’ data being accessed as a result of these attacks.

“We previously identified this issue, have taken steps to mitigate it and continue to investigate. We have no evidence that customer data was accessed,” AT&T said.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us