Servers Running Digium Phones VoiP Software are Getting Backdoored

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://arstechnica.com/information-technology/2022/07/servers-running-digium-phones-voip-software-are-getting-backdoored/
Servers running the open source Asterisk communication software for Digium VoiP services are under attack by hackers who are managing to commandeer the machines to install web shell interfaces that give the attackers covert control, researchers have reported.

Researchers from security firm Palo Alto Networks said they suspect the hackers are gaining access to the on-premises servers by exploiting CVE-2021-45461. The critical remote code-execution flaw was discovered as a zero-day vulnerability late last year, when it was being exploited to execute malicious code on servers running fully updated versions of Rest Phone Apps, aka restapps, which is a VoiP package sold by a company called Sangoma. The vulnerability resides in FreePBX, the world's most widely used open source software for Internet-based Private Branch Exchange systems, which enable internal and external communications in organizations' private internal telephone networks. CVE-2021-45461 carries a severity rating of 9.8 out of 10 and allows hackers to execute malicious code that takes complete control of servers. Now, Palo Alto Networks said hackers are targeting the Elastix system used in Digium phones, which is also based on FreePBX. By sending servers specially crafted packets, the threat actors can install web shells, which give them an HTTP-based window for issuing commands that normally should be reserved for authorized admins.
Click to expand...
"As of this writing, we have witnessed more than 500,000 unique malware samples of this family over the period spanning from late December 2021 till the end of March 2022," Palo Alto Networks researchers Lee Wei, Yang Ji, Muhammad Umer Khan, and Wenjun Hu wrote. "The malware installs multilayer obfuscated PHP backdoors to the web server's file system, downloads new payloads for execution and schedules recurring tasks to re-infect the host system. Moreover, the malware implants a random junk string to each malware download in an attempt to evade signature defenses based on indicators of compromise (IoCs)."

When the research post went live, parts of the attacker infrastructure remained operational.
Click to expand...
arstechnica.com

Servers running Digium Phones VoiP software are getting backdoored

More than 500,000 malicious samples seen in campaign that installs web shells.
arstechnica.com arstechnica.com
 
  • Like
Reactions: silversurfer and harlan4096
You must log in or register to reply here.

Similar threads

[correlate]
    • +Reputation
    • Wow
    • Like
Over 640 Citrix servers backdoored with web shells in ongoing attacks (Updated)
Replies
3
Views
1,919
News Archive
Ink
Ink
silversurfer
    • Like
    • +Reputation
New P2PInfect Worm Targeting Redis Servers on Linux and Windows Systems
Replies
0
Views
1,146
News Archive
silversurfer
silversurfer
[correlate]
    • Like
    • +Reputation
    • Applause
Fake WinRAR proof-of-concept exploit drops VenomRAT malware
Replies
1
Views
1,168
News Archive
SumTingWong
SumTingWong

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top