Digium Phones Under Attack and how web shells can be really dangerous
Voice over Internet Protocol (VoIP) systems are part of business worldwide, and a vulnerable service can put a corporation, its profitability, reputation on the market and even private data at risk. In 2021, BBC announced something unprecedented: “a coordinated cyberattack has struck multiple UK-based providers of voice over internet protocol (VoIP) services, according to an industry body via DDoS attacks.”
More recently, cybersecurity experts from Palo Alto published a study focused on Digium Phone Software. In detail, these VoIP devices are vulnerable to CVE-2021-45461, and criminals are taking advantage of them to drop a web shell on the servers in a large and massive global campaign with the goal of exfiltrating internal data and taking control of internal networks.
Learn Vulnerability Management
Modus operandi
The scripts and how the attack was conducted share similarities with the INJ3CTOR3 campaign reported by Check Point in November 2020, potentially a new wave from the previous attacks.
From a total of 500,000 analyzed samples by Palo Alto, two clusters were created, representing different payloads dropping a final web shell. As observed in Figure 1, payload 2 (highlighted as Group 2) is more significant than payload 1, presenting 70% of the collected samples.
Figure 1: Cluster of different payloads observed in this campaign. Group 2 contains 70% of the collected samples (source).
The different payloads and source codes are presented below.
Figure 2: Source code of variants 1 (above) and 2 (below).
The power of a web shell script
The initial script observed in Figure 2 installs an obfuscated PHP web sell on the server side, downloads additional scripts, and schedules daily tasks to re-infect the target machine. Palo Alto provides the high-level diagram of this campaign with the following schema.
Figure 3: High-level diagram of Digium Phones cyberattack via web shell (source).
Implanting a web shell in a server is very powerful, as criminals typically can create persistence and stay invisible for an extended period. This is, in fact, an advantage of using web shells, and merging it with the legitimate source code is hard to detect. With this tactic in place, escalating privileges and maintaining a solid foothold on the internal network is the most dangerous point from the security point of view.
A web shell allows internal enumeration via the legitimate web server. Criminals can create internal tunnels, open reverse connections, perform enumeration and deploy additional payloads (e.g., CobaltStrike beacons) as well.
Learn Vulnerability Management
Digium phones are under attack
The usage of web shells is not new, and criminals typically use this tactic as its detection is hard when the implant is well-merged on the source code level. Within this context, monitoring should be a rule of thumb as web shells can be detected early, for instance, by analyzing or creating specific rules for unusual or abnormal traffic.
On the other hand, continuous integration and code analysis approaches are also vital in this field, as detecting discrepancies at the source-code level and catching malicious implants could be performed effectively.
Sources:
- VoIP attacks the UK, BBC
- Digium Phones Attacks, Palo Alto
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- Digium Phones Under Attack and how web shells can be really dangerous
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
Vulnerabilities