Threat analysts at Palo Alto Networks' Unit 42 have unearthed a massive campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples between December 2021 and March 2022.
Elastix is a unified communications server software, based on projects such as Digium’s Asterisk, FreePBX, and more.
The hackers' goal was to inject a PHP web shell that could run arbitrary commands on the compromised communications server and exploit a remote code execution (RCE) vulnerability tracked as CVE-2021-45461, with a critical severity rating of 9.8 out of 10.
The campaign is still active and shares multiple similarities to another operation in 2020 that was reported by researchers at cybersecurity firm Check Point.
According to the researchers, enterprise servers are sometimes a higher-value target than computers, laptops, or other firm endpoints. Servers are usually more powerful devices and could be exploited, for example, as part of a potent botnet generating thousands of requests per second.
In this campaign, the researchers spotted two separate attack groups employing initial exploitation scripts to drop a small-size shell script. The script installs an obfuscated PHP backdoor on the web server, manufactures multiple root user accounts, and sets a scheduled task to ensure recurring re-infection of the system.
"This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system," security researchers explained.
The IP addresses of the hackers are in the Netherlands, but DNS data points to Russian adult sites. The payload delivery infrastructure is only partially active, at the moment.
The PHP web shell – which is injected with a random junk string to bypass signature-based defenses –consists of several layers of Base64 encoding and is guarded by a hardcoded “MD5 authentication hash” mapped to the victim’s IP address.
The web shell also accepts an admin parameter and supports arbitrary commands, along with a series of built-in default commands for file reading, directory listing, and reconnaissance of the Asterisk open-source PBX platform.
“The strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors. The only way to catch advanced intrusions is through a defense-in-depth strategy. Only by orchestrating multiple security appliances and applications in a single pane can defenders detect these attacks,” Palo Alto Networks concludes.
