Posted on November 6, 2020 at 3:23 PM
Unpatched VoIP Flaws Lead to a Massive Wave of Hacking Attacks
Security researchers have found that over 1,200 firms around the world ended up compromised due to an unpatched VoIP flaw, as hackers started accessing their systems without any authentication.
Over the last year, more than 1,200 companies have had their business accounts compromised due to Voice over Internet Protocol (VoIP) flaws that were left unpatched. The targeted firms are located all over the world, and hackers have made it their goal to earn money by hijacking and selling these accounts.
Hacking attacks in the business world are nothing new. In fact, they happen pretty much every day. However, the efficiency of this campaign is rather interesting.
The main goal of the attackers seems to be calling premium-rate numbers that hackers themselves own, or selling phone numbers and various call plans for others to use free of charge. However, while this appears to be the primary goal, it is also worth noting that the VoIP flaw that allowed hackers to do this, could also lead online criminals to a number of other forms of attacks.
With access to VoIP systems, it would be relatively easy for them to listen to private calls, use the systems for further, more intrusive campaigns, or even mine cryptocurrencies.
What is known about the campaign?
Cybersecurity researchers from Check Point noted that one hacking group has managed to successfully compromise VoIP networks of as many as 1,200 companies and organizations.
The affected firms are located in more than 20 different countries across the globe, although it appears that more than half of the victims are in the UK. All of the firms seem to have fallen to the exploit of this same vulnerability.
Hackers also did not particularly focus on any single industry, either. They targeted insurance, finance, military, government, manufacturing, and more.
While the UK did suffer the greatest number of attacks, there are numerous other nations whose organizations were hit, including the US, Columbia, Belgium, Netherlands, and Germany, among others.
The vulnerability in question is known as CVE-2019-19006, and it is considered a critical flaw in Sangoma and Asterisk VoIP phone systems. By exploiting it, anyone could gain access to the systems remotely, without having to worry about the authentication of any form.
Fortunately, there is a security patch for the flaw — it was released back in 2019. But, as it is often the case, many of the organizations and companies around the world have failed to apply the solution, which left them vulnerable.
Basically, if any hacker were to use the flaw, they could not only bypass authentication, but would be able to receive admin access to the system and all of its functions.
What could the hackers do with this kind of access?
Researchers also looked into how hackers tend to exploit the hacked systems. Many are making outgoing calls with the VoIP system being unaware of it. This lets hackers dial premium-rate numbers that they have set up, themselves. That way, they get to generate money, while the compromised organization ends up paying the bill.
Many might assume that it should not take businesses too long to realize that something wrong, and that servers are being exploited. However, large companies already have so many legitimate phone calls, that these exploits simply end up hidden among them.
Another way for hackers to make money by exploiting the systems is to sell access to them to others who might be interested in using them for their own purposes. This could lead to a number of other hacking attacks that could be much more dangerous. Eavesdropping and crypto mining are only some of the activities that hackers could turn to with this kind of access, if only they wanted to.
Not to mention that hackers could use compromised systems to delve deeper into the firms’ networks, and end up stealing credentials, using malware, and more. However, researchers noted that this may depend on different factors, such as the configuration of the system, and how the system is connected to the rest of the network.
What can the companies do about it?
For now, researchers recommend that companies change all default usernames and passwords on their devices. That would make them difficult to be exploited. In addition, companies should analyze their call bills regularly, and seek out any suspicious activities.
If there were any high traffic volumes, unusual patterns, or suspicious donations, it is possible that their systems have been compromised.
And, it goes without saying that firms need to start applying patches for newly discovered vulnerabilities as soon as such patches become available.