Servers running Digium Phones VoiP software are getting backdoored

Researchers have reported that the open source Asterisk communication software is under attack by hackers who are able to take control of the machines by installing web shell interface.

According to researchers from Palo Alto Networks, the hackers may have gained access to the on-premises server by exploiting a vulnerability. The critical remote code-execution flaw was discovered as a zero-day vulnerability late last year, when it was being exploited to execute malicious code on server running fully updated versions of Rest Phone Applications, also known as restapps, which is a VoiP package sold by a company called Sang

The most widely used open source software for Internet-based Private Branch Exchange systems has a vulnerability in it. There is a severity rating of 9.8 out of 10 for the vulnerability that allows hackers to take complete control of the server.

Palo Alto Networks said that hackers are targeting the system used in theDigium phones. By sending specially crafted packets to the server, the threat actors can install web shells that give them a window to issue commands.

"As of this writing, we have seen more than half a million unique samples of this family over the course of the last two years," the researchers said. The web server's file system is installed with multiple obfuscated PHP backdoors, which are downloaded for execution and schedule recurring tasks to re-inspire the host system. The malware tries to evade signature defenses by implanting a random junk string to every download.

The attacker infrastructure was still operational when the research post went live. There were at least two malicious parts in those parts.

Random junk comments are used to evade signature-based defences. The shell is wrapped in a number of layers. The researchers think that the victim's public IPv4 address is mapped to the hardcoded "MD5 authentication hash" that protects the shell.

The value Elastic or Freepbx can be accepted by the web shell. Administrator sessions will be created after that.

The report should be read with particular attention to indicators of compromise that can help determine if a system is compromised.