A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts.
While the main purpose appears to be dialling premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining, or even using compromised systems as a stepping stone towards much more intrusive campaigns.
Detailed by cybersecurity researchers at Check Point, one hacking group has compromised the VoIP networks of almost 1,200 organisations in over 20 countries by exploiting the vulnerability, with over half the victims in the UK. Industries including government, military, insurance, finance and manufacturing are believed to have fallen victim to the campaign.
SEE: 10 tips for new cybersecurity pros (free PDF)
Other countries where organisations fell victim to these attacks include the Netherlands, Belgium, the United States, Columbia and Germany.
The attacks exploit CVE-2019-19006, a critical vulnerability in Sangoma and Asterisk VoIP phone systems that allows outsiders to remotely gain access without any form of authentication. A security patch to fix the vulnerability was released last year, but many organisations have yet to apply it – and cyber criminals are taking advantage of this by scanning for unpatched systems.
“The vulnerability is an authentication bypass flaw, and the exploit is publicly available. Once exploited, the hackers have admin access to the VoIP system, which enables them to control its functions. This will not be detected unless an IT team is specifically looking for it,” Derek Middlemiss, security evangelist at Check Point Research, told ZDNet.
One of the most common means the hacked systems are exploited for is making outgoing calls without the VoIP system being aware, which would allow attackers to secretly dial premium rate numbers they’ve set up in order to generate money at the expense of the compromised organisation. And because businesses make so many legitimate phone calls on these systems, it’d be difficult to detect if a server is being exploited.
The attackers also make money by selling access to the systems to the highest bidder, something that could potentially be used for other cyberattacks that could be more dangerous to victims.
“It’s likely that those attacks can be leveraged for other malicious activity such as cryptomining and for eavesdropping,” said Middlemiss.
And it’s potentially possible for attackers to use a compromised VoIP system as a gateway to the rest of the network, opening up the possibility of stealing credentials or deploying malware.
“That’s depending on how the server is configured and connected to the rest of the corporate network. If it is not segmented from the rest of the network, attackers could move laterally,” he added.
It’s recommended that organisations change default usernames and passwords on devices so they can’t easily be exploited and, if possible, analyse call billings on a regular basis for potentially suspicious destinations, volumes of traffic or call patterns.
And most importantly, organisations should apply the required security patches to prevent known vulnerabilities from being exploited.
“Always look for and apply new patches for everything on your network to ensure vulnerabilities like this are closed off,” said Middlemiss.