Elastix VoIP services — a server software used in Digium phones — have fallen victim to a malware campaign orchestrated by multiple different threat actors.
According to security researchers at Palo Alto Networks’ Unit 42, the VoIP service was attacked by over 500,000 unique malware samples between December 2021 and March of this year, and the malware infrastructure is still live.
Due to their reliance on the internet, VoIP systems are becoming a common focus for cyber criminals. Read on to learn more about the attack, and about how your business can avoid threats like this in the future.
Elastix VoIP System Becomes Latest Malware Target
Security researchers at Palo Alto Networks have recently uncovered a new malware campaign that has been disrupting Elastix VoIP servers since December of last year.
The telephony server is used in Digium phones, a solution that is used by thousands of businesses up and down the country.
The researchers suspect the hackers gained access to the on-premises servers by exploiting CVE-2021-45461 — a remote execution vulnerability that’s received an alarming Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.
This vulnerability is understood to reside in FreePBX, one of the most widely used open-source softwares in the world. Having been targeted by repeated malware attacks in the past, this latest breach raises additional concerns about the security of the IP software.
Hiding in Plain Sight?
According to Palo Alto Networks, Elastix’s VoIP systems were actually targeted by two attack scripts, named Group 1 and Group 2, in its research.
These shell scrips worked together to compromise Elastic’s system by installing the obfuscated PHP backdoor in their files, before maintaining access by setting up user accounts or reinfecting the host system.
Moreover, the dropper also tries to blend into the system’s environment by spoofing the timestamp of the installed PHP backdoor file and implanting a ransom junk string to each malware download.
These advanced obfuscation tactics are likely why the malware hasn’t been picked up by cybersecurity researchers until now.
“The malware implants a random junk string to each malware download in an attempt to evade signature defenses based on indicators of compromise (IoCs).” – Palo Alto Networks researchers
At the time the report went public, parts of the attacker infrastructure still remained operational. The IP addresses of both cybergroups link them back to the Netherlands, yet DNS records also tie them to several Russian adult sites.
The Rapid Rise of VoIP Malware
Thanks to the affordability and versatile nature of VoIP systems, the business communication tool is now more popular than ever. In fact, the technology is currently being depended on by over 41 million businesses in the US alone.
However, due to its reliance on the web and growing use among businesses, telephony systems have also caught the attention of cyber criminals too.
Just like traditional internet systems, VoIP systems can be vulnerable to a whole host of viruses that can compromise the security of your enterprise. From infesting your device with malware to stealing important credentials, these actors can sabotage your business in more ways than one. This is why practicing cybersecurity due diligence is so important.
If you want to keep threats at bay, antivirus software forms a critical layer of protection between you and potential threats. Looking for VoIP solutions with excellent security features is a great idea too.
Our research suggests 8×8 and Google Voice offer the most secure solutions around, but GoTo Connect is another solid all-around system. Learn more about best practices for VoIP security here.
