Several different threat actors attacked VoIP telephony servers (opens in a new tab) owned by Elastix with more than 500,000 different malware samples (opens in a new tab) between December 2021 and March 2022, researchers say .

Elastix is ​​unified communications server software that brings together tools for IP PBX, email, instant messaging, fax, and collaboration.

The researchers assume that the attackers exploited CVE-2021-45461, a high severity (9.8) vulnerability that allows remote code execution. Their goal was to implement a PHP web shell that would allow them to execute arbitrary code on compromised endpoints.

Blend in with the environment

Palo Alto Networks Unit 42 experts who first saw the campaign said that two separate attack groups, using different methods to exploit the flaws, tried to implement a miniature shell script, which installs a PHP backdoor and gives attackers root access.

"This dropper also attempts to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file with that of a known file already on the system," the researchers noted.

The IP addresses of the groups are in the Netherlands, it was explained in more detail, but the DNS data points to Russian adult sites. The payload delivery infrastructure is only partially active, at this time.

The campaign is still ongoing, the researchers concluded.

Depending on the target of the campaign, corporate servers are sometimes a higher value target than corporate computers, laptops, or other endpoints. Servers are often more powerful devices and can be used, for example, as part of a powerful botnet that sends thousands of requests per second.

The servers can also be used to implement crypto mining software, earning valuable cryptocurrencies for their attackers. And finally, if the servers are shared (for example, in a cloud environment), a possible data breach could compromise several companies at the same time and all their customers together.

Via: BleepingComputer (Opens in a new tab)

Share This