Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label VoIP System. Show all posts

3CX Cyberattack: Cryptocurrency Firms at Risk

Cryptocurrency companies were among the targets of the recent 3CX supply chain attack, according to security researchers. The attack began with the compromise of 3CX, a VoIP provider used by businesses for communication services. Cyber attackers then installed a backdoor to gain access to victims’ networks.

According to reports, the Lazarus Group, a North Korean threat actor, is suspected to be behind the attack. Researchers discovered a second-stage backdoor installed in the compromised systems, which allowed attackers to gain persistent access to victims’ networks. The attack has impacted various industries, including finance, healthcare, and government.

Security experts have warned that supply chain attacks, like the one seen in the 3CX incident, are becoming increasingly common. Cryptocurrency companies, in particular, have become attractive targets due to the digital nature of their assets. Michael Hamilton, former CISO of the City of Seattle, stated, “Cryptocurrency is the perfect target for ransomware and supply chain attacks.”

Businesses can take steps to protect themselves against supply chain attacks by vetting their vendors and implementing strict security protocols. They should also have a plan in place in case of a breach, including regular backups of critical data.

As cyber attackers continue to evolve their tactics, it is essential for businesses to stay vigilant and proactive in their cyber defense measures. As noted by cybersecurity expert Bruce Schneier, “Security is a process, not a product.” By continuously assessing their security posture and implementing best practices, businesses can mitigate the risk of a supply chain attack and other cyber threats.

The 3CX breach highlights the growing threat of supply chain attacks and the need for organizations to implement stronger cybersecurity measures to protect themselves and their customers. The incident also serves as a reminder for cryptocurrency companies to be particularly vigilant, as they are often prime targets for cybercriminals. By staying up to date with the latest security trends and investing in robust security solutions, organizations can better defend against these types of attacks and ensure the safety of their sensitive data.

Large-Scale Malware Campaign Targets Elastix VoIP Systems

 

Threat analysts at Palo Alto Networks' Unit 42 have unearthed a massive campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples between December 2021 and March 2022. 

Elastix is a unified communications server software, based on projects such as Digium’s Asterisk, FreePBX, and more. 

The hackers' goal was to inject a PHP web shell that could run arbitrary commands on the compromised communications server and exploit a remote code execution (RCE) vulnerability tracked as CVE-2021-45461, with a critical severity rating of 9.8 out of 10. 

The campaign is still active and shares multiple similarities to another operation in 2020 that was reported by researchers at cybersecurity firm Check Point. 

According to the researchers, enterprise servers are sometimes a higher-value target than computers, laptops, or other firm endpoints. Servers are usually more powerful devices and could be exploited, for example, as part of a potent botnet generating thousands of requests per second. 

In this campaign, the researchers spotted two separate attack groups employing initial exploitation scripts to drop a small-size shell script. The script installs an obfuscated PHP backdoor on the web server, manufactures multiple root user accounts, and sets a scheduled task to ensure recurring re-infection of the system. 

"This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system," security researchers explained. 

The IP addresses of the hackers are in the Netherlands, but DNS data points to Russian adult sites. The payload delivery infrastructure is only partially active, at the moment. 

The PHP web shell – which is injected with a random junk string to bypass signature-based defenses –consists of several layers of Base64 encoding and is guarded by a hardcoded “MD5 authentication hash” mapped to the victim’s IP address. 

The web shell also accepts an admin parameter and supports arbitrary commands, along with a series of built-in default commands for file reading, directory listing, and reconnaissance of the Asterisk open-source PBX platform. 

“The strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors. The only way to catch advanced intrusions is through a defense-in-depth strategy. Only by orchestrating multiple security appliances and applications in a single pane can defenders detect these attacks,” Palo Alto Networks concludes.

Ransomware Group Leveraged Mitel Zero-Day Bug To Target VOIP Appliances

 

CrowdStrike researchers have identified ransomware groups targeting a zero-day flaw impacting the Linux-based Mitel VoIP appliance. 

The vulnerability tracked as CVE-2022-29499 was patched earlier this year in April by Mitel after CrowdStrike researcher Patrick Bennett unearthed the bug during a ransomware investigation. 

In a blog post published last week, Bennett explained that after taking the Mitel VoIP appliance offline, he unearthed a “novel remote code execution exploit used by the threat actor to gain initial access to the environment.” 

“After tracing threat actor activity to an IP address assigned to the Mitel MiVoice Connect VoIP appliance, CrowdStrike received a disk image of the Linux system and began analysis. CrowdStrike’s analysis identified anti-forensic techniques that were performed by the threat actor on the Mitel appliance in an attempt to hide their activity,” Bennett said. 

Although the hacker erased all files from the VoIP device’s filesystem, Bennett was able to retrieve forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the attacker. 

The zero-day bug impacts the Mitel Service Appliance component of MiVoice Connect. The company rated the bug critical and said it could be abused in MiVoice Connect Service Appliances, SA 100, SA 400, and/or Virtual SA, Mitel explained in its security advisory. 

"A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance," the company stated.

The exploit entailed two HTTP GET requests — which are used to retrieve a specific resource from a server — to trigger remote code execution by fetching rogue commands from the attacker-controlled infrastructure. 

The hacker leveraged the exploit to design a reverse shell, utilizing it to launch a web shell ("pdf_import.php") on the VoIP appliance and download the open-source Chisel proxy tool.

Subsequently, the binary was implemented, but only after renaming it to "memdump" in an attempt to fly under the radar and use the utility as a "reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device." 

But detection of the activity halted their operation and restricted them from moving laterally across the network. The announcement of a zero-day bug arrives less than two weeks after German penetration testing firm SySS disclosed two vulnerabilities in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could have allowed threat actors to secure root privileges on the devices.

Multiple Secret Backdoors Identified in Auerswald VoIP System

 

RedTeam Pentesting researchers have discovered multiple vulnerabilities in a widely used VoIP (voice over Internet protocol) appliance made by the German telecommunications hardware manufacturer Auerswald. 

The vulnerabilities were identified during penetration testing, and according to RedTeam Pentesting’s researchers, attackers can exploit flaws to gain full administrative access to the devices.

"Two backdoor passwords were found in the firmware of the COMpact 5500R PBX," researchers from RedTeam Pentesting explained. "One backdoor password is for the secret user 'Schandelah', the other can be used for the highest-privileged user 'admin.' No way was discovered to disable these backdoors." 

The security flaw tracked as CVE-2021-40859 carries a critical severity rating of 9.8. Auerswald patched the vulnerability with a firmware upgrade (version 8.2B) published in November 2021, following a liable disclosure on September 10. "Firmware Update 8.2B contains important security updates that you should definitely apply, even if you don't need the advanced features," the company said in a post without explicitly citing the issue. 

A private branch exchange, or PBX, is a switching system that serves a private firm and is used to create and manage phone calls between telecommunication endpoints, including traditional telephone sets, destinations on the public switched telephone network (PSTN), and devices or services on VoIP networks. 

The vulnerability was uncovered after RedTeam Pentesting began a detailed search into a service Auerswald offers if a client loses access to their administrator account, in which case the password linked with a privileged account can be changed by contacting the manufacturer. 

Specifically, the researchers found that the devices are configured to check out for a tricky-coded username "Schandelah" besides "sub-admin," the account that's important to deal with the system, according to the official documentation. "It turns out that Schandelah is the name of a tiny village in northern Germany where Auerswald produces their devices," the researchers said. 

The German pen-testing firm’s follow-up research disclosed that "the corresponding password for this username is derived by concatenating the PBX's serial number, the string 'r2d2,' and the current date [in the format 'DD.MM.YYYY'], hashing it with the MD5 hash algorithm and taking the first seven lower-case hex chars of the result."