Hackers Stealing and Selling VoIP AccessAttackers Exploit a Vulnerability in Asterisk VoIP PBX Servers
Check Point Research has uncovered a large and likely profitable business model that involves hackers attacking and gaining control of certain VoIP services, which enables them to make phone calls through a company’s compromised system.
During the first half of this year, Check Point researchers found the campaign operated by a hacking group that they believe is working from the Palestinian Gaza Strip. The ongoing campaign targets the open-source user interface of Sangoma PBX, which manages the Asterisk VoIP PBX system - one of the world's largest such systems.
The threat actors exploit a critically rated vulnerability tracked as CVE-2019-19006 to gain control of companies' VoIP phone systems to make calls.
"Gaining access to the systems allows the hackers to abuse the servers for their own purposes. CVE-2019-19006 is an authentication bypass vulnerability published in November 2019,” the researchers state in their report. “Check Point Research was able to deduce the vulnerability by examining both the captured attack traffic and Sangoma's GitHub repository for FreePBX Framework.”
By gaining this level of access to a company's telephone system, the group can sell phone numbers, calls plans and live access to compromised VoIP services, the report says.
"They can also use the compromised systems for further attacks, such as using the system resources for cryptomining, spreading laterally across the company network or launching attacks on outside targets while masquerading as the compromised company," the researchers say.
VoIP attacks have recently been in the news. For example, the security firm ESET uncovered a Linux malware variant dubbed "CDRThief" targeting VoIP networks to steal phone metadata, such as IP addresses (see: Linux Malware Targets VoIP Networks to Steal Metadata).
Dialing Up the Attack
In the campaign Check Point Research discovered, the attacks start by scanning for "session in progress" systems using the vulnerable FreePBX software to bypass the authentication step. At this point, a web shell is uploaded and the attack breaks into two parts, according to the report.
First, the initial web shell is used to retrieve the contents of Asterisk management files that contain the credentials to the FreePBX system's database and passwords for the various SIP extensions, effectively giving full control of the entire system to the attacker. The threat actor then makes a test phone call to see if the system is, in fact, under their control, the researchers note.
Next, the web shell is used to download a base64-encoded PHP file from Pastebin that is padded with garbage comments as an obfuscation method. When the file is decoded, it creates a password-protected web shell that is capable of retrieving the credentials to the Asterisk Internal Database and REST Interface, according to Check Point.
Social Media Element
In the code, the researchers found several references to Inj3ctor3 and inje3t0r3-seraj, the first of which is the name associated with a Pastebin account that contained the initial web shell upload, the report states.
These names eventually led the Check Point team to several private Facebook groups that deal with VoIP exploitation and "session in progress" server exploitation.
"The group shares a number of tools related to SIP server exploitation: scanners, authentication bypass and remote code execution scripts. Among these scripts, we found a variant of the brute-force script seen in the Pastebin of INJ3CTOR3," Check Point says.
The Facebook posts contained information that opened several additional avenues for the researchers to explore, leading them to the conclusion that this style of attack is common, particularly in the Middle East.
"Closely examining the profiles of the admins, active users, and carriers seen in the different groups, we found that most of them were from Gaza, the West Bank and Egypt," the researchers say.
Senior Correspondent Chinmay Rautmare contributed to this report.