A number of different threat actors have attacked VoIP (opens in new tab) telephony servers belonging to Elastix with more than 500,000 different malware (opens in new tab) samples between December 2021 and March 2022, researchers have claimed.
Elastix is a unified communications server software, bringing together IP PBX, email, IM, faxing and collaboration tools.
The researchers are speculating the attackers exploited CVE-2021-45461, a high-severity (9.8) vulnerability that allows for remote code execution. Their goal was to set up a PHP web shell that would allow them to run arbitrary code on the compromised endpoints.
Blending into the environment
Experts from Palo Alto Networks’ Unit 42 who first spotted the campaign said two separate attack groups, using different methods to exploit the flaws, tried to deploy a miniature shell script, which installs a PHP backdoor and gives the attackers root access.
“This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system,” the researchers noted.
The IP addresses of the groups are in the Netherlands, it was further explained, but DNS data points to Russian adult sites. The payload delivery infrastructure is only partially active, at the moment.
The campaign is still ongoing, the researchers concluded.
Depending on the campaign goal, enterprise servers are sometimes a higher-value target than computers, laptops, or other company endpoints. Servers are usually more powerful devices, and could be used, for example, as part of a potent botnet delivering thousands of requests per second.
Servers can also be used to deploy cryptomining software, earning valuable cryptocurrencies for their attackers. And finally, if the servers are shared (for example, in a cloud environment), a potential data breach could compromise multiple companies at once, and all of their customers, combined.