In FreePBX, the Digium phones module is integrated with Elastix, server software that handles unified communications. CVE-2021-45461 is an RCE vulnerability that the attackers may have exploited in order to execute code remotely.
It appears that the recent campaign is linked to the vulnerability that has been exploited since December 2021 by threat actors.
Apparently, one of the attackers’ goals, according to a Palo Alto Networks security researcher at Unit 42, was to install a PHP web shell on a user’s machine. A compromise of a communications server may result in the execution of arbitrary commands.
Through the use of the script, the PHP backdoor is installed on the target device, along with the creation of root user accounts and a scheduled task to ensure persistence.
The PHP backdoor file installed by this dropper is also spoofed by spoofing the timestamp of the file in an attempt to blend into the existing environment.
There is a link between several Russian adult sites and the IP addresses of the attackers from both groups, whereas DNS records suggest that many of the sites are actually located in the Netherlands.
By using the cmd request parameter, the malware supports both commands:-
- Arbitrary commands
- Built-in default commands
There are also a number of built-in commands that come with the web shell that can be used for reading files, listing directories, and finding out about the Asterisk open source PBX platform, which is also included in the shell.
As an established operation, this is a phenomenon that might occur from time to time. Making phone calls with IPRN allows you to make money while you make telephone calls, and vice versa, by connecting the two.
In other words, these systems can be used to launch further attacks from which the attacker can take advantage.