Thanks for nothing

A botnet hit AT&T devices with malware and the company hasn't said a word

Researchers at Qihoo identified the botnet, which stems from a 2017 vulnerability. AT&T has barely even confirmed its existence.

Everything connects in a particular way
Charday Penn/E+/Getty Images

There’s nothing quite like a widespread malware vulnerability to really harsh the vibe. Today’s is a doozy: An unknown number of AT&T networking devices have been infected with malware that can turn them into denial-of-service attack points. Researchers at China-based Qihoo 360 identified the botnet’s presence this week. They identified at least 100,000 devices accessing the infected controllers, most if not all located in the U.S.

The networking devices being used to create the botnet are EdgeMarc Enterprise Session Border Controllers, which are implemented by small- and medium-sized businesses to handle the prioritizing of different kinds of traffic like phone and video calls. As Ars Technica points out, session border controllers are an essential link between a business and its internet service provider, so plenty of sensitive info travels through them.

Qihoo 360 managed to sneak into one of the botnet’s control centers and dug around for about three hours before being locked out. We’re lucky they managed even that much — otherwise the public would really have no idea the botnet had even been created.

Well, at least the password wasn’t ‘password’ — Let’s play a brief game: What’s the silliest weakness you can think of that would open up more than a hundred thousand end devices to malware? If your answer was not changing the default login credential then you’re a winner, baby.

Qihoo researchers found that the spread of this new botnet malware — which they’re calling EWDoor — is made possible by an account on the border session controllers with a user name of “root” and a password of “default.” The vulnerability stemming from this account was first reported in 2017.

Oh, and it gets worse. There’s no mention of that vulnerability ever being patched. A four-year-old vulnerability has now potentially infected more than 100,000 unsuspecting users’ devices.

AT&T’s no help — Did we mention the story gets worse? Yeah, there’s more frustrating news here, specifically that AT&T has seemingly decided this isn’t its problem to deal with.

Here’s the official statement from an AT&T spokesperson: “We previously identified this issue, have taken steps to mitigate it and continue to investigate. We have no evidence that customer data was accessed.” No acknowledgment of fault, no apologies, just some sort of half-lie that does nothing at all to help those who may be affected.

Malware infections are somewhat unavoidable on the contemporary internet, but it’s a company’s ethical responsibility to at the very least acknowledge that the attack has happened. And in almost every instance they do, with most going further, helping users identify whether or not they’ve been compromised and offering support for future protection.

Since AT&T isn’t even interested in letting users know their networks may have been compromised, it’s best if IT managers read through Qihoo’s blog post for information on identifying the malware’s presence. The group invites users to reach out on Twitter if they have any questions.