Elastix VoIP Systems Hit in Large-scale Campaign

Many businesses today leverage at least one, if not several open source technologies, largely because of their flexibility and lower cost. However, risks do come with open-source software. As with any software, though, there are risks. In this case, hackers exploited a flaw in an open source VoIP solution to potentially impact thousands of users.

Researchers at Palo Alto Networks’ Unit 42 uncovered a large-scale campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples between December 2021 and March 2022.

Elastix is a unified communications server used with the Digium phones module for FreePBX, an open-source IP PBX software offering organizations an all-in-one communications platform.

Researchers speculate the attackers exploited a remote code execution vulnerability identified as CVE-2021-45461 with a critical severity rating of 9.8 out of 10.

Unit 42 researchers observed two attack groups using different initial exploitation scripts to drop a small-size shell script. The scripts installed the PHP backdoor on the target device to give the attackers root access.

The attackers’ IP addresses are located in the Netherlands, while DNS records reveal links to several Russian adult sites. Parts of the payload-delivery infrastructure remain online and operational.

The malware supported arbitrary commands and built-in default commands by using the command request parameter. However, the web shell also featured an additional set of eight built-in commands for file reading, directory listing and reconnaissance of the Asterisk open-source PBX platform.

Additionally, the Unit 42 report included technical details on how the payloads are dropped and some tactics to avoid detection on the existing environment.

Implanting web shells in vulnerable servers is not a new tactic for bad actors in these attacks, according to the researchers. Defenders need to adapt security appliances and applications in a single pane to detect these attacks to avoid any future pitfalls.


Edited by Erik Linask