LONDON — A recent attack aimed at a U.S.-based oil, gas and chemical supplier leverages the company’s use of the enterprise-class Asterisk open-source PBX software, used for VoIP services.
According to research from Check Point, presented here at Virus Bulletin 2019 on Friday, the attack was first identified early last year when researchers spotted scanning activity targeting 1,500 unique gateways tied to 600 companies. This reconnaissance activity stopped abruptly five months later, only to resume in February of this year, with one difference. This time the scans were targeted at a single U.S.-based engineering company that provides niche services to critical infrastructure utilities in the U.S.
The adversary was able to use a command-injection technique over HTTP to inject a PHP web shell into the Asterisk server’s outgoing directory, according to Check Point researcher Lotem Finkelstein. He added that the researchers weren’t sure if the attacker leveraged a vulnerability to compromise the platform.
“We see PHP web shells a lot,” Finkelstein said from the stage at Virus Bulletin. “It’s typically a somewhat amateurish approach – but here we saw it to be well-designed, and crafted and tailored for the Asterix server.”
As a result, the adversary was able to gain complete control over the server, including being able to access databases (with private extensions and billing records), call recordings, metadata and detailed information on who called whom and when within the organization. Also, the attacker injected a call file that caused the Asterisk server to make external calls and play canned messages with the identity of the victimized company.
The Attack’s Topography
The file that the adversary injected was a text file called “cmd.txt” – which contained an obfuscated PHP code. Once executed, the code looks for the existence of Asterisk configuration files and write a new administrative user into them, which gave the attacker full control over the server.
After that, the PHP code hooked up with a command-and-control (C2) server, and downloaded a password-protected PHP web shell that carried out the data extraction, including the CALL file, which contains metadata on the calls made by the server.
After that, the attacker inserted a new CALL file into the outgoing directory, offering the ability to make outgoing calls under the guise of the victimized company.
The Attacker
Check Point was able to piece together some information about the attacker’s identity. The PHP web shell was protected by a hardcoded password, also used in a similar PHP file.
“But instead of the hard-coded string, the PHP had an embedded URL inside it, from which the password had to be extracted,” according to the paper. From there, they were able to track the identity of the attacker to a person who, according to his LinkedIn profile, is a “security enthusiast” who lives in the Gaza Strip and works for the Palestinian Ministry of Telecommunications.
However, it’s unclear why the attack was undertaken. Despite the attack going on for months, no evidence of data stolen from the server has turned up anywhere on the underground, according to Check Point. Premium number fraud – in which highjacked phone numbers are used to make pay calls to premium services – could be one motivation, according to Finkelstein. Another could be hoaxing, prank calls or “swatting” (e.g, making false emergency calls to police). And yet another possibility is that the attacker was after the ability to make calls without being detected by intelligence organizations (although, as Finkelstein pointed out, using a VPN would be easier).
“We don’t have an answer as to motive,” Finkelstein said. “We know he invested a lot of time in probing the servers and the nature of the specific server that he was able to exploit. He knows how many calls come in and out and to who. PBX information is one of an organization’s crown jewels.”
The attack should serve as a warning to others that use Asterisk (which has 2 million downloads per year), the researchers noted.
“The infection vector is a customized PHP web shell, which is weaponized with new techniques targeting the Asterisk internal configuration files and databases – the same databases that hold all of the calls’ metadata as well as the recordings of the calls,” according to the paper. “If you own an Asterisk system in your network, you might ask yourself: ‘Are my employees and I the only ones using it?’”
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.