Elastix VoIP systems targeted by massive malware campaign

Scott Marlette

2 years ago

A number of different threat actors have attacked VoIP (opens in new tab) telephony servers belonging to Elastix with more than 500,000 different malware (opens in new tab) samples between December 2021 and March 2022, researchers have claimed.

Elastix is a unified communications server software, bringing together IP PBX, email, IM, faxing and collaboration tools.

The researchers are speculating the attackers exploited CVE-2021-45461, a high-severity (9.8) vulnerability that allows for remote code execution. Their goal was to set up a PHP web shell that would allow them to run arbitrary code on the compromised endpoints.

Blending into the environment

Experts from Palo Alto Networks’ Unit 42 who first spotted the campaign said two separate attack groups, using different methods to exploit the flaws, tried to deploy a miniature shell script, which installs a PHP backdoor and gives the attackers root access.

“This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system,” the researchers noted.

The IP addresses of the groups are in the Netherlands, it was further explained, but DNS data points to Russian adult sites. The payload delivery infrastructure is only partially active, at the moment.

The campaign is still ongoing, the researchers concluded.

Depending on the campaign goal, enterprise servers are sometimes a higher-value target than computers, laptops, or other company endpoints. Servers are usually more powerful devices, and could be used, for example, as part of a potent botnet delivering thousands of requests per second.

Servers can also be used to deploy cryptomining software, earning valuable cryptocurrencies for their attackers. And finally, if the servers are shared (for example, in a cloud environment), a potential data breach could compromise multiple companies at once, and all of their customers, combined.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.