Elastix VoIP systems targeted by massive malware campaign


A number of different malicious actors have attacked VoIP (opens in a new tab) telephony servers belonging to Elastix with more than 500,000 different malware (opens in a new tab) samples between December 2021 and March 2022, researchers said.

Elastix is ​​unified communications server software, combining IP PBX, email, instant messaging, fax and collaboration tools.

The researchers assume that the attackers exploited CVE-2021-45461, a high-severity (9.8) vulnerability that allows remote code execution. Their goal was to implement a PHP web shell that would allow them to execute arbitrary code on compromised endpoints.

Blend into the environment

Palo Alto Networks Unit 42 experts who first spotted the campaign said two separate attack groups, using different methods to exploit the flaws, attempted to deploy a miniature shell script, which installs a PHP backdoor and gives attackers root access.

“This dropper also tries to blend in with the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system,” the researchers noted.

The groups’ IP addresses are in the Netherlands, it was further explained, but the DNS data points to Russian adult sites. The payload delivery infrastructure is only partially active, at the moment.

The campaign is still ongoing, the researchers concluded.

Depending on the campaign objective, corporate servers are sometimes a higher value target than computers, laptops or other corporate endpoints. Servers are generally more powerful devices and can be used, for example, as part of a powerful botnet delivering thousands of requests per second.

Servers can also be used to deploy cryptomining software, earning valuable cryptocurrencies for their attackers. And finally, if the servers are shared (for example, in a cloud environment), a possible data breach could compromise several companies at once, and all of their customers combined.

Via: BleepingComputer (opens in a new tab)


About Author

Comments are closed.