Getty Images

Profitable Hacking Campaign Targets VoIP SIP Servers, Sells System Access

Check Point researchers discovered a new, hacking campaign targeting the SIP servers used by multiple VoIP platforms to gain access and even make a profit from victim’s networks.

A massive hacking campaign has recently been observed, targeting the Session initiation Protocol (SIP) servers of Voice over Internet Protocol (VoIP) across the global in what appears to be a systemic exploitation pattern of multiple VoIP manufacturers, according to new research from Check Point. 

Check Point discovered the newest surge of attacks targeting Sangoma PBX, an open-source web GUI that manages Asterisk, the most popular VoIP PBX system in the world and used by many larger organizations. The campaign is part of a larger, profitable hacking model.

The attack exploits a critical authentication bypass vulnerability known as CVE-2019-19006 in the platform, which gives the attacker administrator access. Check Point detected multiple attack attempts on sensors across the globe during the first half of 2020, which prompted an examination of the attack flow used in the campaign. 

Notably, VoIP was recently listed as one of the riskiest device groups by Forescout. And in August, the FBI and the Department of Homeland Security warned that attackers were targeting remote workers with voicemail phishing, or vishing, attacks, leveraging VoIP to call targeted employees and to later spoof phone numbers of other employees. 

In the latest VoIP campaign, hackers begin by scanning for vulnerable endpoints using SIPVicious, a popular tool suite used for auditing SIP-based VoIP systems. The attacker then exploits the flaw to gain administrator access and deploy the web shell installation using the asterisk-cli module to execute commands on the compromised system. 

“In vulnerable versions of Sangoma FreePBX, the authentication function works by first setting a session for the supplied username, and removes the session setting if the supplied password does not match the one stored in the database,” researchers explained. "FreePBX does not perform input sanity on the password parameter during the login process.” 

“By sending the password query parameter as an array element, attackers can cause the authentication function to fail before the session is unset, thereby retaining a legitimate session for the chosen username, admin included,” they added. 

A successful SIP server exploit provides hackers with control of the device, allowing them to abuse the servers for their own purposes. If an attacker has control of a device, they then attempt to gain persistence on the system by uploading web shells to continue communicating with the system. 

In one method, an attacker could abuse servers to make outgoing phone calls to generate profits, such as using the exploited servers to make calls to International Premium Rate Numbers (IPRN). 

“When an IPRN is called, the caller is paying the owner of the IPRN per minute, the amount of which depends on the caller’s origin country. There are companies that provide a range of IPRN numbers in different plans,” researchers explained. 

“With enough traffic, this model can provide sufficient profit to cover the IPRN costs. For that reason, IPRN services are often used in businesses that put callers on hold, or have many clients (i.e. premium content calls),” they added. “The longer the clients stay on the line, the more money the company owning the IPRN receives.” 

The compromised systems can also be used to launch further attacks, including using system resources for cryptomining, proliferating across the enterprise network, or to launch attacks on outside targets, while masquerading as the compromised company. 

Further, detecting an exploited SIP server is a challenge, as making calls is a legitimate feature of the platform. 

Interestingly, Check Point used the calling card left by the attackers and found multiple social media groups that discuss SIP server exploitation, including admins shared with different groups and multiple tools that can be used for the exploit, such as scanners, authentication bypass, and remote code execution scripts. 

A review of these social media postings and found SIP server exploits to be increasingly common, particularly with actors from the Middle East. Researchers even found users who publish sales posts, tools, and websites – and even those who post tutorials on how to perform the exploit. 

“The instructions simplify the process to a level where anyone can do it. Perhaps as a result, there seems to be a large and growing community involved in hacking VoIP services,” researchers explained. 

“Although this can explain the infection chain, there is still a question about motivation,” they added. “A further analysis led not only to the surprise that the attacks on SIP servers occur on a larger scale than initially thought, but also that there is a profound underlying economic model.” 

The research shows the exploit is easy to perform, which is concerning as details about the vulnerability were never publicly released and “yet the threat actors behind the attack managed to weaponize and abuse it for their own gain.” 

Lastly, the campaign highlights hackers’ efforts to not only sell access to compromised systems but to exploit the victim’s infrastructure to generate profits and to launch additional cyberattacks.

Next Steps

Dig Deeper on Cybersecurity strategies