Threat Actors Targeting Elastix VoIP Telephony Servers to Deploy Over 500,000 Malware Samples

An analysis of more than 500,000 malware samples obtained by threat analysts over a period of three months has revealed an extensive campaign targeting Elastix VoIP telephony servers. At the same time, the threat actors are doing this in an effort to steal sensitive data from them.

In FreePBX, the Digium phones module is integrated with Elastix, server software that handles unified communications. CVE-2021-45461 is an RCE vulnerability that the attackers may have exploited in order to execute code remotely.

It appears that the recent campaign is linked to the vulnerability that has been exploited since December 2021 by threat actors. 

Apparently, one of the attackers’ goals, according to a Palo Alto Networks security researcher at Unit 42, was to install a PHP web shell on a user’s machine. A compromise of a communications server may result in the execution of arbitrary commands.

In the period between December 2021 and March 2022, over 500,000 samples of malware within the family have been deployed by the threat actor. There are several similarities between this campaign and an operation that took place in 2020, which is still active today.

Flaw Profile

• CVE ID: CVE-2021-45461
• Description: FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021. The fixed versions are 15.0.20 and 16.0.19.
• Source: MITRE
• CVSS Score: 9.8
• Severity: Critical

Modus Operandi

Here below we have mentioned the Modus Operandi:-

• Getting relevant IP ranges
• Scanning the IPs for different SIP services
• Creating a targets list with relevant services
• Attempting to compromise SIP servers
• Gaining a foothold on the servers
• Using the server for profit

Infection & Attack flow

In an effort to drop a small shell script, two attack groups were observed to use different initial exploitation scripts in order to accomplish their goal.

Through the use of the script, the PHP backdoor is installed on the target device, along with the creation of root user accounts and a scheduled task to ensure persistence.

The PHP backdoor file installed by this dropper is also spoofed by spoofing the timestamp of the file in an attempt to blend into the existing environment.

There is a link between several Russian adult sites and the IP addresses of the attackers from both groups, whereas DNS records suggest that many of the sites are actually located in the Netherlands.

By using the cmd request parameter, the malware supports both commands:-

• Arbitrary commands
• Built-in default commands

There are also a number of built-in commands that come with the web shell that can be used for reading files, listing directories, and finding out about the Asterisk open source PBX platform, which is also included in the shell.

As an established operation, this is a phenomenon that might occur from time to time. Making phone calls with IPRN allows you to make money while you make telephone calls, and vice versa, by connecting the two. 

In other words, these systems can be used to launch further attacks from which the attacker can take advantage.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.