This mysterious hacking campaign snooped on a popular form of VoiP software

Researchers uncover a campaign that is snooping on call data and recordings of conversations - and could even spoof calls.
Written by Danny Palmer, Senior Writer

A hacking campaign is targeting one of the world's most popular services for making voice over IP phone calls, allowing the attacker to snoop on who people are calling and when they're calling them, listen to recordings of conversations and send out spoof calls that look like they come from the legitimate number of the compromised user.

The attack has been detailed during a presentation by Check Point researchers at the Virus Bulletin 2019 conference in London.

Security researchers have traced the initial attacks back to between February and July 2018, when an attacker was performing scans on over 600 companies across the world that use Asterisk FreePBX – a popular form of open source VoiP software.

SEE: 10 tips for new cybersecurity pros (free PDF)

The attacker then went quiet for months before re-emerging this year, targeting a US-based server owned by an engineering company that provides services to the oil, gas and chemical industries.

That Asterisk server was then targeted with a custom-built PHP web shell exploiting known vulnerabilities, allowing the attacker to remotely control the server as if they were using the keyboard and mouse connected to the system.

This kind of attack is often used to help deploy cryptomining malware, but this campaign was something more sophisticated – the attacker used commands to extract and read the contents of call files, allowing them to examine the histories of calls made by the user of the Asterisk system.

Stealing this metadata can provide the attacker with a lot of information and indicates the attacker knows what they're doing.

"Using this web shell they can navigate through directories and execute commands, they can download and upload directories, and read files, reading the call files stored in the local server," Oded Awaskar, security researcher at Check Point Software, told ZDNet.

"And there can be recordings of calls if the admin has set the recording feature on, which most do for auditing. That means the attacker can pull the recordings to his server and listen to what was said. They gain complete control of the server," he added.

SEE: Facebook is the latest tech giant to admit contractors are snooping on your conversations

The results of snooping on that metadata could potentially be used for the purposes of espionage, but the attacker can also use Asterisk to spoof calls to look as if they come from the compromised Asterisk user.

The attacker covered their tracks, so it wasn't possible to identity who they called from the compromised system or why.

Check Point told ZDNet the research has been disclosed to Asterisk and that the vulnerability that enables the attack to take place was patched before the attack was first spotted. Researchers recommend that users apply patches to software, operating systems and servers to keep systems as secure as possible.

ZDNet contacted Asterisk for comment, but hadn't received a response at the time of publication.




Editorial standards