This mysterious hacking campaign snooped on a popular form of VoiP software

October 04, 2019

How voice is becoming more controversial
Tonya Hall speaks with Preston So, director of research and innovation at Acquia, to discuss how voice is now moving from just recognizing words to understanding intent.

A hacking campaign is targeting one of the world’s most popular services for making voice over IP phone calls, allowing the attacker to snoop on who people are calling and when they’re calling them, listen to recordings of conversations and send out spoof calls which look like they come from legitimate number of the compromised user.

The attack has been detailed during a presentation by Check Point researchers at the Virus Bulletin 2019 conference in London.

Security researchers have traced the initial attacks back to between February and July 2018 when an attacker was performing scans on over 600 companies across the world which use Asterisk FreePBX – a popular form of open source VoiP software.

The attacker then went quiet for months before re-emerging this year, targeting a US based server owned by an engineering company which provides services to the oil, gas and chemical industries.

That Asterisk server was then targeted with a custom-built PHP web shell exploiting a known vulnerabilities, allowing the attacker to remotely control the server as if they were using the keyboard and mouse connected to the system.

This kind of attack is often used to help deploy cryptomining malware, but this campaign was something more sophisticated – the attacker used commands to extract and read the contents of call files, allowing them to examine the histories of calls made by the user of the Asterisk system.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Stealing this metadata can provide the attacker with a lot of information and indicates the attacker knows what they’re doing.

“Using this web shell they can navigate through directories and execute commands they can download and upload directories and read files, reading the call files stored in the local server,” Oded Awaskar, security researcher at Check Point Software told ZDNet.

“And there can be recordings of calls if the admin has set the recording feature on, which most do for auditing. That means the attacker can pull the recordings to his server and listen to what was said. They gain complete control of the server,” he added.

Snooping on that metadata could potentially be used for the purposes of espionage, but the attacker can also use Asterisk to spoof calls to look as if they come from the compromised Asterisk user.

The attacker covered their tracks, so it wasn’t possible to identity who they called from the compromised system or why.

Check Point told ZDNet the research has been disclosed to Asterisk and that the vulnerability which enables the attack to take place was patched before the attack was first spotted. Researchers recommend that users apply patches to software, operating systems and servers to keep systems as secure as possible.

ZDNet contacted Asterisk for comment, but hadn’t received a response at the time of publication.

READ MORE ON CYBER CRIME