Posted on July 16, 2022 at 7:15 PM
Cybersecurity researchers have discovered a large-scale malware campaign that targets Elastix VoIP telephony servers with over 500,000 malware samples in three months.
The Elastix server software is used for unified communications, including instant messaging, email, and faxing. The software is used primarily in the Digium phones module for FreePBX.
According to the report, the threat actors exploited a remote code execution (RCE) flaw dubbed CVE-2021-45461, with an assigned critical vulnerability of 9.8 out of 10. The researchers noted that threat actors have been exploiting this flaw since last December. The latest campaign seems to be linked to a security flaw.
The Hackers Are Planting PHP Web Shell
The Palo Alto Network Unit 42 security researchers stated that the goal of the threat actors was to plant a PHP web shell that runs arbitrary commands on the infiltrated communications server.
The researchers confirmed that the threat group planted more than 500,000 unique malware samples of the family from December 2021 to March 2022. The attacker is still using the active, and several related samples of the malware have been discovered by Cybersecurity firm CheckPoint.
The researchers added that the two attack groups utilize different first exploitation methods to drop a small-size shell script. Afterward, it plants the PHP backdoor on the targeted system of the device and sets up rot user accounts to ensure persistence via scheduled tasks. This means that a user’s device could be infected without the security software finding out about the infiltration. It uses state-of-the-art evasion techniques to keep its operations secret and active.
Additionally, the dropped also tried to fix itself properly into the existing environment by spoofing the timestamp of the installed PHP backdoor file, making it look exactly like a file already existing within the system.
The Hackers Have Their IP Addresses In The Netherlands
The threat actors’ IP addresses are allegedly in the Netherlands, but the DNS record shows the addresses are linked to several Russian adult sites. The researchers revealed that part of the attackers’ payload-delivery infrastructure remains operational and visible online.
The threat actors created scheduled tasks from the first script, which is deployed to operate every minute to spoof a PHP web shell. The web shell, according to the researcher, is managed with different parameters in web requests. These include cmd requests, (which run arbitrary commands remotely) admin, call, and md5. The admin parameter is used to choose between Freeplay administrator and Elastic session. On the other hand, the md5 is for authentication hash for web shell interaction and remote login. The Call parameter is used to start a call from the Asterisk command line interface (CLI).
Also, the web shell comes with additional features, including reconnaissance of the Asterisk open-source PBX platform, directory listing, and eight built-in commands for file reading.
Unit42 also included technical details in the report. It provided information on how the hackers use and drop the payloads. It also included some measures to circumvent the risk and avoid detection in the existing environment. Additionally, a list of compromise indicators whose local file paths the malware uses. It includes public URLs that host the payloads, hashes for shell scripts, and unique strings.
Luna Moth Threat Group Are Exploiting Users With Ransomware
In another development, researchers have discovered a new data extortion group named “Luna Moth” that breaches companies to steal confidential information. The group threatens their victims with the stolen file, saying they will make the file public if a ransom is not paid.
According to the Incident Response team at Cybersecurity company Sygnia, the Luna Moth group has been exploiting users since March this year, but their operation could have started long before then. The group uses phishing tactics to deliver remote access tools (RAT) to steal corporate data.
The researchers noted that the group is looking to build a reputation using the name Silent Ransom Group (SRG).
Earlier this month, Sygnia stated that the Luna Moth group operates like that for a scammer, but they focus more on having access to sensitive information. To reach their goals, they rely on phishing attacks. The group has overseen a large-scale campaign by luring victims with bogus subscription emails for using Duolingo, MasterClass, or Zoho services.
The targeted users usually receive a message purportedly from one of the services, informing them that their subscription will soon expire and that it will automatically be renewed. The email addresses are made to look like the ones the hackers are impersonating to make them look genuine. But the ultimate plan is to deceive their targets and steal sensitive information from their devices.