A large-scale campaign has been targeting Elastix VoIP telephony servers to install PHP web shells. More than 500,000 malware samples have already been spotted in just three months.

Abuse of Elastix VoIP systems

The attackers are believed to be abusing the RCE vulnerability (CVE-2021-45461) in Elastix VoIP systems used in the Digium phones module for FreePBX. The flaw has been abused since December 2021.
  • The campaign’s goal was to plant a PHP web shell to run arbitrary commands on infected communications servers.
  • The attackers deployed 500,000 unique malware samples between December 2021 and March 2022.

The recent campaign is still active and shares similarities with another operation in 2020. The operation systematically exploited SIP servers from various manufacturers.

The PHP web shell 

Researchers spotted two attack groups using different initial exploitation scripts to drop a small-size shell script. The script installs the PHP backdoor on the target device and creates root user accounts.
  • A shell script attempts to blend into the existing environment by faking the timestamp of the installed PHP backdoor file to a file already known on the targeted system.
  • The IP addresses of the attackers are located in the Netherlands, while DNS records show links to various Russian adult sites. At present, the parts of the payload-delivery infrastructure are online.
  • The scheduled task executes every minute to get a PHP web shell. The web shell is base64 encoded and manages different parameters (MD5, admin, cmd, and call ) in incoming web requests.

Additionally, the dropped web shell comes with an additional set of built-in commands (around eight) for directory listing, file reading, and reconnaissance of the Asterisk open-source PBX platform.

What to do?

Researchers have provided technical details regarding used tactics in recent campaigns to avoid infection. Further, organizations are suggested to make use of provided IOCs revealing local file paths of malware, hashes for shell scripts, public URLs to host the payloads, and unique strings.
Cyware Publisher