500,000 malicious implants discovered in IP phones

Palo Alto Networks’ Unit 42 security research team has warned of a malicious operation targeting the Elastix PBX solution. 500,000 malware samples capable of filtering out data and executing code through the FreePBX module on Digium IP Phones have been identified.

Among the many compromise vectors used by cyber attackers, the installation of web shell on servers to launch exploits or execute commands remotely is a technique that (unfortunately) has proven itself. Barely two years after the discovery of such an attack targeting the Sangoma PBX VoIP system, the Unit 42 security research team at Palo Alto Networks has revealed a similar compromise.

Thus, web shells were used to destroy the Elastix unified communication system, which integrates functions including private branch exchange (PBX), internet protocol (IP), e-mailing, instant messaging, fax, collaboration … This solution includes well-known open source packages like FreePBX or Asterisk and Postfix used with Digium VoIP phones. According to the researchers, more than 500,000 malware samples were detected between the end of December 2021 and the end of March 2022. “This unusual activity is aimed at the open source communication software Asterisk, which is widely used by Digium for VoIP telephone terminals” , the research specifies.

Inefficient signature database analysis

“The malware installs blurry multilayer PHP backdoors on the web server’s file system, downloads new commands to run, and schedules recurring tasks to re-infect the host system,” Unit 42 further reports. malware implants a random unwanted chain with each malware download in an attempt to avoid signature defense based on compromise indicators ”.

In detail, a shell script-type dropper allows an attacker to install a hidden PHP backdoor in multiple locations in the file system. Then maintain its free access by creating multiple root user accounts before setting up a scheduled task to re-infect the host system. Meanwhile, the Base64-encoded PHP web shell contains junk random comments designed to avoid signature-based defense analysis.

Indicators of compromise to look for

The web shells identified by Palo Alto Networks Unit 42 team researchers appear to be correlated with CVE-2021-45461 remote code execution (RCE) vulnerability in the Rest Phone Apps module in the FreePBX module written in PHP in the software package used by Digium. In order to protect against this exploitation, it is important to perform a version upgrade, at least to 16.0.19 or 15.0.20 published on 22 December 2021. It is also recommended – in addition to the corrective updates – to anticipate risks by adapting appropriately defense systems. For example, setting up sandboxes to analyze .exes, filter URLs, detect intrusions, classify traffic, etc.

The FreePBX compromise indicators are also listed by device 42:

– Public external URLs

-hxxp[://]37[.]49[.]230[.]74 / k[.]php;
-hxxp[://]37[.]49[.]230[.]74 / z / wr[.]php;
-hxxp[://]37[.]49[.]230[.]74 / z / post / noroot[.]php;
-hxxp[://]37[.]49[.]230[.]74 / z / post / root[.]php.

– Original Shell Scripts – SHA256 hashes

– 000a3688455edacc1dac17539797dc98f055091898a65cd520fb8459c1bc2a2a;
– 0012342749e3bae85a9269a93661e2eb00437c71b2bca2eaca458147f9fe8471;
– 001305bd3be538e50014d42f02dee55056b73a1df770e2605aded8a970091f2f;
– 0050232e04880fbe1d0c670b711b66bb46c32febdc9513074612c90f1f24631b;
– 0059d7b736dc1e61bd5b22fff601579fbc8a12b00981fdd34fd13f0fb44688b0;
– 0088cba19eec78daee0310854c4bf8f7efc64b89bdc7517f0a1c7ebbba673f72.

– Local file paths

– /var/www/html/admin/assets/ajax.php;
– /var/www/html/admin/assets/config.php;
– /var/www/html/admin/assets/js/config.php;
– /var/www/html/admin/modules/core/ajax.php;
– /var/www/html/digium_phones/ajax.php;
– /var/www/html/rest_phones/ajax.php.

– Character strings

– ZenharPanel;
– ZenharR;
– Ask master.

Leave a Comment