A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts.
While the main purpose appears to be dialling premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining[1], or even using compromised systems as a stepping stone towards much more intrusive campaigns.
Detailed by cybersecurity researchers at Check Point[2], one hacking group has compromised the VoIP networks of almost 1,200 organisations in over 20 countries by exploiting the vulnerability, with over half the victims in the UK. Industries including government, military, insurance, finance and manufacturing are believed to have fallen victim to the campaign.
SEE: 10 tips for new cybersecurity pros[3] (free PDF)
Other countries where organisations fell victim to these attacks include the Netherlands, Belgium, the United States, Columbia and Germany.
The attacks exploit CVE-2019-19006[4], a critical vulnerability in Sangoma and Asterisk VoIP phone systems that allows outsiders to remotely gain access without any form of authentication. A security patch to fix the vulnerability was released last year, but many organisations have yet to apply it – and cyber criminals are taking advantage of this by scanning for unpatched systems[5].
"The vulnerability is an authentication bypass flaw, and the exploit is publicly available. Once exploited, the hackers have admin access to the VoIP system, which enables them to control its functions. This will not be detected unless an IT team is specifically looking for it," Derek Middlemiss, security evangelist at Check