Servers running Asterisk’s open-source communications software for Digium VoiP services are under attack by hackers who manage to take over the machines to install web shell interfaces that give attackers hidden control, researchers said.
Researchers at security firm Palo Alto Networks said they suspect hackers are gaining access to local servers by exploiting CVE-2021-45461. The critical remote code execution flaw was discovered as a zero-day vulnerability late last year when it was exploited to run malicious code on servers running fully updated versions of Rest Phone Apps, or restapps, a VoiP package sold by a company called Sangoma.
The vulnerability resides in FreePBX, the world’s most widely used open-source software for Internet-based Private Branch Exchange systems that enable internal and external communications on organizations’ private internal telephone networks. CVE-2021-45461 has a severity rating of 9.8 out of 10 and allows hackers to run malicious code that takes complete control of servers.
Now Palo Alto Networks has said that hackers are targeting the Elastix system used in Digium phones, which is also based on FreePBX. By sending specially crafted packets to servers, threat actors can install web shells that give them an HTTP-based window to issue commands that should normally be reserved for authorized administrators.
“At the time of writing, we have witnessed more than 500,000 unique malware samples of this family between the end of December 2021 and the end of March 2022,” Palo Alto Networks researchers Lee Wei, Yang Ji, Muhammad Umer Khan and Wenjun. Hu wrote. “The malware installs a multi-layered obfuscated PHP backdoor into the web server’s file system, downloads new chunks of data to execute, and schedules repetitive tasks to re-infect the host system. Additionally, the malware implants a random spam string to each malware download in an attempt to evade signature-based defenses indicators of compromise (IoC).
When the research post went live, parts of the attacker’s infrastructure remained operational. These parts contained at least two malicious payloads: hxxp[://]37[.]49[.]230[.]74/k[.]php and hxxp[://]37[.]49[.]230[.]74/z/wr[.]php.
The web shell uses random spam designed to evade signature-based defenses. For added stealth, the shell is wrapped in several layers of Base64 encoding. The shell is further protected by a hard-coded “MD5 authentication hash”, which the researchers believe is uniquely mapped to the victim’s public IPv4 address.
“The web shell is also able to accept a manager parameter, which can be either an Elastic or Freepbx value,” the researchers added. “The appropriate administrator session will then be created.”
Anyone running a FreePBX-based VoiP system should read the report carefully and pay particular attention to indicators of compromise that can help determine if the system is infected.
#Servers #running #Digium #Phones #VoiP #software #backdoored