Massive campaign target Elastix VoIP systems with 500,000 unique malware samples

On Saturday, threat analysts have discovered a massive campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples over a period of three months.

Elastix is a server software for unified communications (Internet Protocol Private Branch Exchange [IP PBX], email, instant messaging, faxing), used in the Digium phones module for FreePBX.

The attackers might have exploited a Remote Code Execution (RCE) vulnerability known as  CVE-2021-45461, with a critical severity rating of 9.8 out of 10.

Adversaries have been exploiting this vulnerability since December 2021 and a recent campaign appears to connect to the security issue.

At Palo Alto Networks’ Unit 42,  security researchers have said that the attacker’s ambition was to plant a PHP web shell that could run arbitrary commands on the compromised communications server.

According to Bleeping Computer, in a report on Friday, the researchers say that the threat actor deployed “more than 500,000 unique malware samples of this family” between December 2021 and March 2022.

“The campaign is still active and shares several similarities to another operation in 2020 that was reported by researchers at cybersecurity company Check Point,” a source as per Bleeping Computer.