Technology Tips

August 22, 2022

Hackers Use VoIP Systems To Install PHP Web Shells

Written By Securafy Team

Security researchers at Unit 42, a division of Palo Alto Networks, have been tracking the efforts of a massive campaign aimed at Elastix VoIP telephony servers.

They are used by companies of all shapes and sizes to unify their communications, and it is especially attractive because it can be used with the Digium phones module for FreePBX.

So far, the team has collected more than half a million malicious code samples over a three-month period.  An analysis of those code samples reveals that the attackers are exploiting a remote code execution vulnerability. It is being tracked as CVE-2021-4561 and carries a severity rating of 9.8 out of ten.

Security researchers report that hackers have been actively exploiting this flaw since at least December 2021.

Based on the code samples collected, the Unit 42 team believes that the attackers' goal was to plant PHP web shells on successfully penetrated systems. That would allow them to execute arbitrary commands on the compromised servers.

Another security firm, Check Point, confirms Unit 42's findings and both teams stress that the campaign is still ongoing.  Worse, it appears that there are two different groups involved in the attack. Although it is not currently known whether they are coordinating their efforts or if that fact is coincidental. Perhaps it is a case of one following the other so as not to miss out on an opportunity.

The attackers behind the campaign are both clever and technically savvy.  They've built in some good anti-detection strategies into the attack, such as masking the name of the back door so that the file name resembles that of a known file already on the system.  It would take a sharp pair of eyes indeed to spot it.

In any event, if you use Elastix VoIP, be sure your IT people are aware of this threat.

Picture of Securafy Team
About The Author
Our team at Securafy brings you the best tech tips, from how-to guides and troubleshooting advice to software reviews and productivity hacks. We're all about empowering businesses with the tools and knowledge they need to thrive in the digital world. Follow our posts to stay equipped with practical insights that make tech work for you.

Join the Conversation

Subscribe to our newsletter

Sign up for our FREE "Cyber Security Tip of the Week!" and always stay one step ahead of hackers and cyber-attacks.