Security researchers at Check Point have discovered an ongoing cyber fraud operation led by hackers in Gaza, West Bank and Egypt, affecting over 1,200 organizations worldwide in the last 12 months. Using social media groups to share resources with each other, the hackers systematically attack the voice-over-IP (VoIP) phone system servers of target organizations for intrusive access. Once inside, the hackers then monetize that access by selling auto-generated calls and forcing systems to call premium numbers to collect fees.
VoIP is a technology that allows voice calls over a broadband Internet connection instead of a regular phone line. For example, calls made over WhatsApp use VoIP technology. In this research, the hackers “dial-up” profits after gaining access to a target organizations VoIP server. Check Point researcher, Adi Ikan, summarized the attack method in three steps:
- Hackers systematically scan for VoIP systems that can be vulnerable
- Hackers attack selected VoIP systems by exploiting various vulnerabilities
- Hackers monetize their access to the compromise systems by selling calls, which they can auto-generate, or force the system to call premium numbers that the hackers own, to collect fees
Furthermore, the hackers sell phone numbers, call plans, and live access to compromised VoIP services from targeted organizations to the highest bidder, who can then exploit those services for their own purposes. In some cases, hackers eavesdropped on a target organizations’ calls.
The hackers use social media to advertise their exploits, share hacking resources and educate others. On Facebook, the hackers created multiple private groups, in which they share technical information on how to conduct specific attacks, including step-by-step guides and tutorials.
Derek Middlemiss, Security Evangelist, EMEA at Check Point said: “This cyber fraud operation is a quick way to make large sums of money. More broadly, we’re seeing a widespread phenomenon of hackers using social media to scale the hacking and monetization of VoIP systems this year. Hackers are creating dedicated social media groups to share insights, technical know-how and advertise their conquests. This is how these hackers from Gaza, West Bank and Egypt were able to organize themselves to scale a global cyber fraud operation. I expect this phenomenon to continue into 2021. We strongly urge organizations everywhere that use VoIP systems to ensure they’ve implemented the latest patches. You’ll avoid some costly and unexpected payments.”
Check Point researchers began to notice suspicious activity relating to VoIP exploits via sensors in ThreatCloud, Check Point’s threat intelligence engine. Deeper investigation led to the discovery of a new campaign, which researchers named the ‘INJ3CTOR3 operation,’ targeting Sangoma PBX, an open-source, web GUI that manages Asterisk. Asterisk is the world’s most popular VoIP phone system for businesses, used by many Fortune 500 companies for their national and international telecommunications. The attack exploits CVE-2019-19006, a critical vulnerability in Sangoma PBX, which grants the attacker admin access to the system, giving them control over its functions.
Check Point researchers documented numerous attack attempts worldwide in the first half of 2020 related to this flaw. Afterwards, researchers were able to expose the attack group’s entire attack flow, from the initial exploitation of CVE-2019-19006 flaw, which grants administrator rights to the Sangoma VoIP phone system, to encoded uploads of PHP files that leverage the compromised system.
Organizations attacked per country
The top 5 countries with the most targeted organizations, in order, were the UK, Netherlands, Belgium, USA and Colombia. Industries targeted spanned government, military, insurance, finance, manufacturing, among others. Other countries with organizations affected were Germany, France, India, Italy, Brazil, Canada, Turkey, Australia, Russia, Switzerland, Czech Republic, Portugal, Denmark, Sweden and Mexico.
How organizations can stay protected
- Analyze call billings on a regular basis. Be aware of call destinations, volumes of traffic and suspicious call patterns – especially to premium-rate numbers
- Analyze international calling patterns and make sure destinations are recognized
- Maintain password policy and change all default passwords
- Look for call traffic made outside of regular business hours
- Cancel unnecessary/unused voice mails
- Apply patches to close the CVE-2019-19006 vulnerability that hackers are exploiting
- Implement an Intrusion Prevention Systems that can detect or prevent attempts to exploit weaknesses in vulnerable systems or applications, protecting you in the race to exploit the latest breaking threats