Elastix VoIP systems targeted by massive malware campaign

Multiple threat actors have tried to deploy thousands of malware variants

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A number of different threat actors have attackedVoIPtelephony servers belonging to Elastix with more than 500,000 differentmalwaresamples between December 2021 and March 2022, researchers have claimed.

Elastix is a unified communications server software, bringing together IP PBX, email, IM, faxing and collaboration tools.

The researchers are speculating the attackers exploited CVE-2021-45461, a high-severity (9.8) vulnerability that allows for remote code execution. Their goal was to set up a PHP web shell that would allow them to run arbitrary code on the compromised endpoints.

Blending into the environment

Experts from Palo Alto Networks’ Unit 42 who first spotted the campaign said two separate attack groups, using different methods to exploit the flaws, tried to deploy a miniature shell script, which installs a PHP backdoor and gives the attackers root access.

“This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system,” the researchers noted.

The IP addresses of the groups are in the Netherlands, it was further explained, but DNS data points to Russian adult sites. The payload delivery infrastructure is only partially active, at the moment.

Microsoft Exchange servers are being hacked to deploy ransomware>Nasty new malware targets Microsoft Exchange servers>Check out our list of the best firewalls right now

The campaign is still ongoing, the researchers concluded.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Depending on the campaign goal, enterprise servers are sometimes a higher-value target than computers, laptops, or other company endpoints. Servers are usually more powerful devices, and could be used, for example, as part of a potent botnet delivering thousands of requests per second.

Servers can also be used to deploy cryptomining software, earning valuable cryptocurrencies for their attackers. And finally, if the servers are shared (for example, in a cloud environment), a potential data breach could compromise multiple companies at once, and all of their customers, combined.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

How to turn off Meta AI