New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


VoIP Systems Being Exploited by Threat Actors

A hacking campaign was discovered by researchers at Checkpoint Security that is compromising VoIP (Voice over Internet Protocol) systems made by Sangoma and Asterisk. Throughout the past year, nearly 1,200 companies around the world have been targeted in this attack. By using the vulnerability CVE-2019-19006 attackers are managing to gain remote access to systems without any form of authentication. Once the vulnerability is exploited, attackers have access to the VoIP systems and the ability to control their functions. Many times, attackers will use these systems to call premium phone numbers which they have set up, allowing them to gain money for every minute the call is occurring. Because of the mass amount of calls many of these systems make, many of them go undetected making it harder for organizations to identify a compromise. Other times the access is sold to the highest bidder. The buyer of the access could use it for other cyber-attacks such as eavesdropping for extortion, crypto-mining, and in some cases a gateway to the rest of the network.

Analyst Notes

A patch for this vulnerability was made available in 2019, and exploits have been publicly available to criminals for quite some time. Because a patch is available, anyone using VoIP systems should make sure they have updated their systems and that they are no longer vulnerable. This attack shows how even months after a vulnerability and patch are released, attackers will still try to find organizations that did not apply the patch, and they often find them. It is critical to update any systems as soon as possible because updates usually include fixes to security issues. Priority should be given to patches for any vulnerability that allows unauthenticated remote code execution, and when exploit code or a “proof of concept” has been made available on criminal forums or freely distributed online. Such vulnerabilities should be mitigated by blocking access immediately, then patched without delay, even on holidays and weekends.