Threat analysts have uncovered a large-scale campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples over a period of three months.
Elastix is a server software for unified communications (Internet Protocol Private Branch Exchange [IP PBX], email, instant messaging, faxing) that is used in the Digium phones module for FreePBX.
The attackers may have exploited a remote code excution (RCE) vulnerability identified as CVE-2021-45461, with a critical severity rating of 9.8 out of 10.
Adversaries have been exploiting this vulnerability since December 2021 and the recent campaign appears to be connected to the security issue.
Security researchers at Palo Alto Networks’ Unit 42 say that the attackers’ goal was to plant a PHP web shell that could run arbitrary commands on the compromised communications server.
In a report on Friday, the researchers say that the threat actor deployed “more than 500,000 unique malware samples of this family” between December 2021 and March 2022.
The campaign is still active and shares several similarities to another operation in 2020 that was reported by researchers at cybersecurity company Check Point.
Attack details
The researchers observed two attack groups using different initial exploitation scripts to drop a small-size shell script. The script installs the PHP backdoor on the target device and also creates root user accounts and ensures persistence through scheduled tasks.
“This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system,” note the security researchers.
The IP addresses of the attackers from both groups are located in the Netherlands, while DNS records reveal links to several Russian adult sites. Currently, parts of the payload-delivery infrastructure remain online and operational.
The scheduled task created by the first script runs every minute to fetch a PHP web shell that is base64 encoded and can manage the following parameters in incoming web requests:
md5 – MD5 authentication hash for remote login and web shell interaction.
admin – Select between Elastic and Freepbx administrator session.
cmd – Run arbitrary commands remotely
call – Start a call from the Asterisk command line interface (CLI)
The web shell also features an additional set of eight built-in commands for file reading, directory listing, and reconnaissance of the Asterisk open-source PBX platform.
The report from Unit42 includes technical details on how the payloads are dropped and some tactics to avoid detection on the existing environment. Furthermore, a list of indicators of compromise reveals local file paths the malware uses, unique strings, hashes for shell scripts, and public URLs that host the payloads.
