INJ3CTOR3 Operation – Leveraging Asterisk Servers For Monetization

Hello everyone and welcome to our talk, Injective Free Operation, Leveraging Asterix Servers for Monetization. I'm Idor Solomon, a security researcher at Checkpoint. And I'm Ventura, working at Checkpoint, also in the network research team. And so, what is on our agenda? To introduce the campaign, we'll talk about the vulnerable product. and go over the relevant CVE and infection vector. We'll dive into the different attack flows and analyze them step by step. We'll then talk about the attackers standing behind this campaign and examine specific concepts using order to achieve their goals, such as IPRN. And lastly, we'll show the impact of this campaign. So as we've said, during 2020,

we have uncovered a campaign targeting S-TISC servers. We have witnessed exploitation of critical vulnerability in the FreePBX product. And this turned out to be a part of a wider phenomenon of SIP servers exploitation, which we'll talk about. So in order to understand the campaign and its purpose, we'll have to talk about the relevant products first. So we don't take it from here. Thank you, Omer. Like Omar said, we first need to talk about the target of the attacks. In this case, the PBX phone system. PBX stands for private branch exchange, which is a private telephone network used within companies and organizations. Digimasterisk is an open source VoIP and telephony server used by many Fortune 500 companies. And it is also the world's most popular VoIP PBX system.

Sangoma Free PBX is an open source web GUI that manages Asterisk.

3PBX suffered from a critical vulnerability that did not have a public proof of concept published, but that didn't deter our attacker from abusing it for the game. Vulnerability that we had to investigate ourselves as part of the research in this campaign. Our story begins with several thousand requests logged in our sensors with the following format, supplying a PHP file with a command inside the request parameter. And this parameter contained two concatenated cat commands, trying to retrieve the content of asterisk files, mportal.conf and sipadditional.conf. And from these requests, we can infer that this is a post-exploitation activity, as evident by the classic PHP web shell use deal, and the attempt to retrieve asterisk files, so we know asterisk was targeted. However,

there are many services that can run on top of Asterisk, so this was not enough to determine the affected product. On further investigation, we've came across a Python script hosted on Pastebin. And this script generated very similar traffic to the logs we've had. And after investigating the request made by the script, specifically the one over here, the usage of Asterisk CLI and CLI-CMD, it revealed the target product to be Sangoma FreePBX. And we should also note the descriptors uploaded to Pacebin by a username injector free.

At this point, we knew the target product, FreePBX, but not the actual vulnerability used. Fortunately for us, FreePBX is an open source project. And so after finding an authentication virus vulnerability without the public PLC, we were able to find the Jira task and then accept vulnerability. And from there go into FreePBX GitHub repository and find the exact commits patching the vulnerability out.

Examining the commits, we found exactly what we were after. During the logging process, a new line of code was added that cast the password parameter supplied by the user to string. And we did donate knowledge and the Python script hosted on Pastebin, we were able to successfully deduce the nature of CVE 2019-19006.

And in addition, create a working proof of concept.

And this is the PLC. As you can see, we send the password parameter as an array element and supply the username which to authenticate it. Issuing this request to a vulnerable PBX, three PBX server will allow us to login as the admin account. But you're probably wondering about the value of the password parameter. In this example, we've opted to use checkpoint research. And this is because as you may have guessed, this value is irrelevant. As the check password function towards the exception before the value of password is validated. Now, when an attacker is presented with a blank slate like this, they usually take one of two approaches. The first is to try and disguise the request as a GTM traffic. In this case,

they could have used a common password and disguise this as a failed login attempt. Or they could leave a calling card of sorts. Now looking at the attacker traffic,

we can see that they've deployed the letter approach, basically saying we injector-free compromised your system.

And with the vulnerability now known to us, we can take a look at the attack used in this campaign. We've actually observed two variants of this attack, both starting with the same sequence of actions up until the upload of a PHP web shell, where they then diverge. The attack begins with SIPvicious, a popular SIP scanning framework to find servers running a vulnerable version of FreePBX, where the, aforementioned vulnerability is not patched. The attacker then exploits the vulnerability in order to gain access to the system and authenticate as the admin account.

They then use the asterisk CLI to upload a very basic PHP web shell and code in B64 and use it to remove previous files, previous versions of the attack files and possibly competitor web shells. At this point, the attack diverges into two separate flows. And we will first go one by one, starting with the first flow. Following the removal of files, the threat actor attempts to retrieve the contact of asterisk management files, as we've seen before in the logs, in portal and SIP additional. And they then issue a one-liner, which we've broken up over here. This code tries to place outgoing calls using the compromised systems on various SIP extensions to what we believe is a

number under the TET Act of Control. And we assume that it does that in order to verify that the system has been successfully compromised and that they have access to the SIP system. They then download a second P3 web shell, including Base64 and padded with garbage commands in order to evade static detection methods. And this web shell is possible protected, as you can see here in the snippet. And this web shell, in addition, can echo credentials to various parts of the asterisk system. Now, unfortunately, the first flow was altered at this point. We saw no evidence of fault requests during this flow, and we assume that this is due to the attacker failing to place the outgoing calls

as we've seen in the previous slide. This is the entire first flow starting from the initial webshell up to the second password protected one. Now, the second flow is a bit more complex.

I remove the previous version of the attack files. The threat actor downloads a new PHP webshell which unlike the one in the first floor is not only password protected, but also self-specific outcoded list of IP addresses. As you can see here, they're all actually in MD5 and outcoded in the webshop. Attempting to access the webshop from an unapproved IP or without the password results in a fake 403 forbidden message being solved. Using the web shell, the threat actor then performs the following actions. First, they try to update FreePBX framework, possibly to patch out the same vulnerability they've used in the first place to come with the system. They then try to download and execute a shell

script, which was unfortunately already dead by the time of our investigation. So we should note that the IP was also done is part of a subnet that is notorious for mass scanning of SIP services. They also create a new directory, free PPX with a P and moves all the files using the attack to the directory. Finally, download a PHP file to temp slash K, which is actually a dropper that drops two additional files to admin views. The first, HD access simply enables symbolic links and enables access to the second file, config.php, from other URLs. And as for config.php itself, it's another basic support encoded file. But when we decode it, it's not a simple PHP web shell as we've been

used to by this point, but it is a password-protected web panel.

Now this panel is capable of not only running arbitrary and other coded commands, as you can see the values bottom zero, also capable of placing outgoing calls using the compromised system. And finally, this is the entire second flow starting from the initial web shell to the dropper and the final web panel. And finally the complete flow of the campaign following the initial exploitation of CVE 2019.

19.006. And now that we've been over the attack methods use, my colleague Omar will discuss the threat of the identity.

Thank you, Idor, if you can stop sharing the scan. Yes. Okay. Thanks, Idor. So we talked about the attack vectors, the CVEs, and some of the action steps performed by the attacker later, like installing the webshell. Let's talk about the mind behind the attack and the threat actor. When we started searching for the attacker, we began with some of the hints that he left behind. We started searching for unique keywords that we found in the webshell, such as r.php or yokeyoke. And this led to a script on Pastebin, By the way, it was taken off a few days after the publication. So this code exploits the same vulnerability and uploads the same temporary webshare with the same communication way, exactly like we've seen in our

attack. And the one thing that you can notice here is that the uploader of the script is called injector-free. And this fits what we have captured in our sensors perfectly. Because as you can see here, the attacker mentioned his name injector in the password value when exploiting the CVE. Now, as I don't mentioned before, exploiting the vulnerability doesn't require it. The attacker could have written anything that he wanted. So we interpreted it as some kind of a calling card meant to brag or to show off. And this raised the question, who is injector 3?

Now, in order to answer this question, we started searching the web and the social networks. and we encountered some interesting groups. And as you can see here, these three groups, they have these framing names, and they share admins. And even one of the admin is called injector-serage, as we have seen in the logs. So we know that we have to dig deeper and infiltrate into these groups. And once we managed to get in, we had some interesting findings. The users in the groups. Looking at the active users, we found that they are from the West Bank in Egypt, but mostly they're from Gaza. And there were tens of posts there in the group showing high activity. Many of

these posts were hacking tutorials and tools. Here you can see a Zero to Hero tutorial teaching the steps in order to execute code on a victim's machine. This can be found on YouTube, but it was also shared in the different groups. And this helps expanding the SIP hacking community even further. This is a post one of the admins uploaded sharing a hacking tool. This one specific is the user and the password cracker, but there are many posts like this every day in a group. And we even found a target list, publishing the groups, and we discovered other groups and site links. In this one, you can see a Telegram group talking about different SIP products like 3PBX, Elastix,

and Isabelle. But the one thing that really popped out in the groups was the number of post advertising IPRN. We saw it all over the place, post selling numbers from various countries, and we decided to look into the subject. So let's talk about IPRN. IPRN stands for International Premium Rate Numbers. You can see here the whole process of a call procedure to an IPRN. But what's interesting is after the call is established, the IPRN owner gets paid by the end user, the one who's calling for the service. The more calls to this number means the more money the IPRN owner makes. You can understand why service providers such as technical support or adult-only calls would be interested in IPRN. Each call is

priced differently. It is determined by different parameters, such as the length of the call or the origin country, for example. This is a pricing table to the specific company that we saw. You can see here the differences in terms of price for different plans. Here you can see a demo dashboard that provides IPRN owner facilities and functions to its account. show his balance, looking at reports or billings, etc. Now, for hackers, that means a lot. Because they see the IPRN as the left link in their modus operandi. And for this reason, companies find hackers an extremely relevant audience for their services. In Injector 3 groups, we have seen many posts advertising IPRN, programs that's sold by different companies. You can see some of them. This is a very common

practice among SIP servers attacks and specifically among our campaign protectors in Gaza and West Bank. Knowing IPRM and its use, we can understand the modus operandi of the attacker. Now, this is a wide phenomenon, not relevant only to this specific campaign, but to any campaign of SIP hacking. Initially,

The attacker gets the IPs for scans. And you can scan the internet yourself, but there are sites that can provide you lists, even divided by countries, which is connected to the parameters we talked about before in terms of the IPRN. So using this list, the attacker can start scanning for vulnerable systems. And there are many relevant scanners with the most popular one, as I mentioned, SIP Vicious. all the details that can be obtained are extracted to a target list. And here you can see a target list with the SIP version, for example. Then begins the attempt to compromise the SIP servers. In our case, it was the script that we have seen on the Pastebin exploiting the CVE that we talked about, but we realize

there are plenty of other CVEs to attack SIP servers. And after exploiting a vulnerability, if it exists, The attacker can gain control of the system by uploading a webshare, for example. In our case, you could use it to make calls or run commands on the system. And finally, the link that connects all together and ties it all up, the IPRM. This is a way that attackers can convert these SIP calls to actual real money. And this is why it is an extremely relevant hacking relevant for hacking groups and why we saw so many posts about it. So before we sum it up, let's talk about the impact of this attack. So in a wider view,

at least 1,200 organisations were targeted. There was not a particular industry that was targeted, although in terms of countries, we did see higher interest in UK, the Netherlands and Belgium. On a more tactical level, compromising the SIP servers allow the attacker to make calls from the system, sell this as an infrastructure or use it as a part of the model that we talked about last slide. It allows the attackers to impersonate the company and sometimes even eavesdropping on calls and even use this whole infrastructure as resources for further attack, kind of like a botnet. So to sum it up,

This is an ongoing campaign targeting SIPs Asterisk servers. We talked about the relevant CVE, the infection vectors and the different flows of attack. We later examined the threat actors and understood the campaign that was orchestrated by actors in Gaza and West Bank as we've explored the different injector groups. And lastly, we talked about the impact of this campaign and how the exploitation could lead to severe financial losses for the victims. So thanks for listening. We hope you enjoyed. Thank you.

Thanks guys. Thanks, Omer and Ido. Very, very interesting talk. Just a couple of questions that have come through. So one is how prevalent are these attacks given the rise in IP based telephony providers and services? What do you guys see? What's going on in the industry? So we see many scans in the internet. It is a very widely popular scan, SIPvicious scan. And these attacks, I can say, they are on the rise. Many understand how they can use it for their own benefits. That's exciting to see it because that's an interesting way of how you can exploit the system and use it in order to make money. It's a creative way. Yeah, and the other question that came through was what kind of defenses can companies deploy

to protect against such compromises and attacks? Well, the first of this obviously would be to keep your Asterix server, CIF servers, all of them updated. And for example, in the specific case of FreePBX, if you logged into the admin panel of a vulnerable system, you will have a big red warning yelling at you to update the software to the latest version. So that's one. Second, obviously, there are various security products, I'm not gonna list any names, you can install on an enterprise level. Yeah. For IPS, so that's also an option. And finally, if you have a SIP system, monitor Or at least try to monitor all of the calls if you see a large volume of calls going into unknown numbers in countries you don't

normally deal with, maybe you've been compromised, you need to look into it. Very good. Thanks for your time today, guys. Very informative and hope to see you again next year. Enjoy the rest of the conference. Thank you. Thank you. Cheers, guys.