Today, cybersecurity investigators have taken control of an ongoing cyber fraud operation by hackers in Gaza, the West Bank, and Egypt that has compromised the VoIP servers of more than 1,200 organizations in 60 countries in the past 12 months.
According to figures published by Check Point Research, the threat actors in the Palestinian Gaza Strip have focused on the Sangoma PBX, an open-source user interface used to manage and control Asterisk’s VoIP phone systems, in particular the Session Initiation Protocol (SIP) servers.
By hacking into SIP servers and taking control of them, hackers can abuse them in various ways, according to Cybersecurity in its analysis. One of the most difficult and interesting ways is to abuse servers for outgoing phone calls, which are also used to make a profit. Calls are a legitimate function, so it is difficult to determine when the server has been used.
By selling phone numbers, call plans, and real-time access to compromised VoIP services from target companies to those who paid more for them, campaign operators generated hundreds of thousands of dollars in revenue and gave them the opportunity to listen in on legitimate calls.
How remote authentication works during administrator authentication
The PBX, short for Private Branch Exchange, is a switching system for establishing and controlling telephone calls between telecommunication endpoints such as conventional phones, Public Switched Telephone Network (PSTN) destinations, and Voice over IP (VoIP) network devices or services.
Research conducted by Check Point has shown that the attack uses CVE-2019-19006 (CVSS score 9.8), a critical vulnerability that affects the web administration interface and PBXact of the FreePBX and may allow unauthorized users to gain administrative access to the system by sending specially designed packages to the affected server.
The shortcomings in bypassing remote administrator authentication affect FreePBX versions 220.127.116.11 and lower, 18.104.22.168 and lower, and 22.214.171.124 and lower and were remedied by Sangoma in November 2019.
The attack begins with SIPVicious, a popular toolkit for testing SIP-based VoIP systems, the researchers said. An attacker used the svmap module to search the internet for SIP systems with vulnerable versions of FreePBX. When an attacker discovers them, he uses the CVE-2019-19006 and gets administrative access to the system.
In one of the attack wires, it was discovered that the original PHP web shell was used to retrieve the FreePBX system database and passwords from various SIP extensions, giving attackers unlimited access to the entire system and the ability to make calls from any extension.
In the second version of the attack, the original web shell was used to download a 64-base encrypted PHP file, which is then decrypted to run a web panel that allows the enemy to make calls via a FreePBX and Elastix-compromised system and to execute random, hard-coded commands.
Because the campaign relied on Pastebin to download password-protected web shells, the attack was linked to a downloader called INJ3CTOR3, the name of which is associated with an old vulnerability in the remote execution of SIP code (CVE-2014-7235), and to a number of private Facebook groups used to share SIP server exploits.
Fraud involving shares of international companies
Checkpoint researchers say that compromised VoIP servers can be used by attackers to call International Premium Rate Numbers (IPRNs) under their control. DNPIs are special numbers used by companies to make telephone purchases and offer other services – such as waiting times – at a higher cost.
These costs are generally passed on to customers calling these payment numbers, leaving the system open to abuse. The more phone calls an RDPI owner receives and the more customers queuing up to make a transaction, the more money he can write off from the network administrators and customers.
According to the researchers, the use of IPRN programs not only allows hackers to call but also to abuse SIP servers for profit. The higher the number of servers used, the more IPRN calls.
This is not the first time that International Revenue Fraud (IRSF) – the practice of illegally gaining access to an operator’s network to inflate traffic to telephone numbers obtained from an IPRN provider – has used switching systems.
In September, ESET researchers discovered a Linux malware called CDRThief that targeted VoIP socket switches and attempted to steal phone call metadata and execute IRSF schemas.
Our study shows how hackers in Gaza and the West Bank make money from the difficult socio-economic conditions in the Palestinian territories, says Adi Ikan, research director for network cybersecurity at the checkpoint.
Your cyber scam is a quick way to make a lot of money. In a broader sense, this year we are witnessing a widespread phenomenon where hackers are using social networks to extend hacking and monetize VoIP systems.
Attacking Asterisk servers is also unusual because the purpose of the attackers is not only to sell access to the infected systems but also to use the infrastructure of the systems in a profitable way. The IPRN concept allows you to make a direct link between telephone calls and money.