Threat analysts have uncovered a large-scale campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples over a period of three months.
威胁分析人员发现了一场针对 Elastix VoIP 电话服务器的大规模活动,在三个月内有超过 500,000 个恶意软件样本。
Elastix is a server software for unified communications (Internet Protocol Private Branch Exchange [IP PBX], email, instant messaging, faxing) that is used in the Digium phones module for FreePBX.
Elastix 是用于统一通信(Internet 协议专用分支交换 [IP PBX]、电子邮件、即时消息、传真)的服务器软件,用于 FreePBX 的Digium 电话模块。
The attackers may have exploited a remote code excution (RCE) vulnerability identified as CVE-2021-45461, with a critical severity rating of 9.8 out of 10.
攻击者可能利用了编号为 CVE-2021-45461的远程代码执行 (RCE) 漏洞,其严重性等级为 9.8(满分 10)。
Adversaries have been exploiting this vulnerability since December 2021 and the recent campaign appears to be connected to the security issue.
自 2021 年 12 月以来,攻击者一直在利用此漏洞,最近的活动似乎与该安全漏洞有关。
Security researchers at Palo Alto Networks’ Unit 42 say that the attackers’ goal was to plant a PHP web shell that could run arbitrary commands on the compromised communications server.
Palo Alto Networks 的 Unit 42 安全研究人员表示,攻击者的目标是在受感染的通信服务器上植入一个 PHP Web shell执行任意命令。
In a report on Friday, the researchers say that the threat actor deployed “more than 500,000 unique malware samples of this family” between December 2021 and March 2022.
研究人员在周五的一份报告中表示,攻击者在 2021 年 12 月至 2022 年 3 月期间部署了“该家族的超过 500,000 个独特的恶意软件样本”。
The campaign is still active and shares several similarities to another operation in 2020 that was reported by researchers at cybersecurity company Check Point.
该活动目前仍然活跃,另外它还与网络安全公司 Check Point 的研究人员报告的 2020 年另一项行动有一些相似之处。
Attack details
攻击细节
The researchers observed two attack groups using different initial exploitation scripts to drop a small-size shell script. The script installs the PHP backdoor on the target device and also creates root user accounts and ensures persistence through scheduled tasks.
研究人员观察到两个攻击组使用不同的初始脚本来删除小的 shell 脚本。该脚本在目标设备上安装 PHP 后门,创建 root 用户,并通过计划任务确保持久性。
“This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system,” note the security researchers.
“这个 dropper 还试图将已安装的 PHP 后门文件的时间戳伪装成系统上已经存在的已知文件的时间戳来融入现有环境,”安全研究人员指出。
The IP addresses of the attackers from both groups are located in the Netherlands, while DNS records reveal links to several Russian adult sites. Currently, parts of the payload -delivery infrastructure remain online and operational.
这两个组织的攻击者的 IP 地址都位于 荷兰 ,而 DNS 记录显示了几个俄罗斯成人网站的链接。目前,部分有效载荷的服务器仍保持在线和运行状态。
The scheduled task created by the first script runs every minute to fetch a PHP web shell that is base64 encoded and can manage the following parameters in incoming web requests:
第一个 脚本 创建的计划任务每分钟运行一次,以获取经过 base64 编码的 PHP Webshell,并且可以管理传入Web 请求中的以下参数:
- md5 – MD5 authentication hash for remote login and web shell interaction.
md5 – 用于远程登录和 Web shell 交互的MD5身份验证哈希。
- admin – Select between Elastic and Freepbx administrator session.
admin – 在 Elastic 和 Free PBX 管理员会话之间进行选择。
- cmd – Run arbitrary commands remotely
- cmd – 远程运行任意命令。
- call – Start a call from the Asterisk command line interface (CLI)
- call – 从 Asterisk 命令行界面 (CLI) 启动呼叫。
The web shell also features an additional set of eight built-in commands for file reading, directory listing, and reconnaissance of the Asterisk open-source PBX platform.
Webshell 还具有一组额外的八个内置命令,用于文件读取、目录列表和 Asterisk 开源 PBX 平台的侦察。
The report from Unit42 includes technical details on how the payloads are dropped and some tactics to avoid detection on the existing environment. Furthermore, a list of indicators of compromise reveals local file paths the malware uses, unique strings, hashes for shell scripts, and public URLs that host the payloads.
Unit42 的报告包括有关如何丢弃有效载荷的技术细节以及避免在现有环境中检测到的一些策略。此外,入侵指标列表显示了恶意软件使用的本地文件路径、唯一 字符串 、shell 脚本的哈希值以及承载有效负载的公共 URL。
大方无隅,大器晚成,大音希声,大象无形。
——《道德经.第四十一章》
本文翻译自:
如若转载,请注明原文地址
翻译水平有限 🙁
有歧义的地方,请以原文为准 :)
喜欢我们的,请记得关注哦~
