Hackers Target VoIP Servers of 1200 Companies
Check Point Research has published a report detailing an on-going cyber fraud operation led by threat actors in Gaza, West Bank, and Egypt that compromises the VoIP servers of more than 1,200 organizations across 60 countries. This operation has apparently been ongoing over the past 12 months. Check Point believes that the threat actors have targeted Sangoma PBX, an open-sourced user interface that’s used to manage and control Asterisk VoIP phone system, specifically the SIP (Session Initiation Protocol) servers.
Hacking and gaining control of SIP servers allows threat actors to abuse them in several ways, such as performing outgoing calls to pre-established toll phone numbers to generate revenue. Since making calls is a legitimate feature, it is difficult to detect when a server has been exploited. By selling phone numbers, call plans, and live access to compromised VoIP services from targeted businesses to the highest bidders, the operators of the campaign have generated hundreds of thousands of dollars in profit, alongside equipping them with capabilities to eavesdrop on legitimate calls.
According to Check Point Research, the attackers exploited CVE-2019-19006, a critical vulnerability (CVSS score 9.8) that impacts the administrator web interface of FreePBX and PBXact, potentially allowing unauthorized users to gain administrative access to the system by sending specially crafted packets to the affected server. The remote admin authentication bypass flaw affects FreePBX versions 15.0.16.26 and below, 14.0.13.11 and below, and 13.0.197.13 and below and was patched by Sangoma in November 2019.
Check Point Research writes in their report:
The attack begins with SIPVicious, a popular tool suite for auditing SIP-based VoIP systems. The attacker uses the ‘svmapmodule’ to scan the internet for SIP systems running vulnerable FreePBX versions. Once found, the attacker exploits CVE-2019-19006, gaining admin access to the system.
Check Point researchers
Check Point researchers believe that the hacked VoIP servers could be employed by the attackers to make calls to International Premium Rate Numbers (IPRN) under their control. IPRNs are specialized numbers used by businesses to offer phone-based purchases and other services — like putting callers on hold — for a higher fee.
This fee is typically passed on to customers who make the calls to these premium numbers, making it a system ripe for abuse. Thus, the more calls the owner of an IPRN receives and the longer clients wait in the line to complete the transaction, the more money it can charge telecom providers and customers.
Sources: