Check Point: Hackers Exploiting Asterisk VoIP, Sangoma PBX Globally

Hackers have targeted Asterisk VoIP and Sangoma, which manages it, in a global campaign targeting a system vulnerability.

That’s according to new research by Check Point Software Technologies. Most of the hackers are in Gaza and the West Bank.

Asterisk VoIP is the world’s most popular VoIP phone system for businesses. Many Fortune 500 companies use it for their national and international telecommunications.

The attack exploits a critical vulnerability in Sangoma PBX. It grants the attacker administrator access to the system and gives them control over its functions.

The group’s main purpose is to sell targeted organizations’ phone numbers, call plans and live access to compromised VoIP services to the highest bidders. They can then exploit those services for their own purposes.

Impact on Organizations

Adi Ikan is Check Point‘s head of network cybersecurity research.

Check Point’s Adi Ikan

“By manipulating the VoIP system to conduct outgoing calls, organizations were exposed to pay extraordinary charges on their telephone expenses,” he said. “In addition, attackers can leverage this attack, creating further damage like shutting down VoIP services, and for utilizing system resources for purposes like cryptomining.”

A common practice associated with these attacks is known as international revenue share fraud (IRSF). Attackers can inflate traffic by calling the premium-rate numbers they own from the hacked VoIP phone system. The more traffic hits these premium-rate numbers, the more revenue their owners receive. This motivates attackers to look for ways to boost and inflate traffic volume in any way possible.

Although the attackers don’t target specific industries, they continuously scan and attack vulnerable SIP servers with the vulnerability.

The malicious hackers have targeted nearly 1,200 organizations globally over the past year. That includes 93 enterprises in the United States, 631 in Great Britain, 255 in the Netherlands, 171 in Belgium and 57 in Colombia. The hackers also have targeted enterprises in Germany, France, India, Italy, Canada, Australia and others.

“There are still attacks related to this campaign in the wild,” Ikan said. “And there is a significant increase in the past few months.”

Bad Actors Increasingly Focus on VoIP

This campaign is part of a global series of related attacks, and is a “very good example” of the wide phenomenon in which many hackers focus on exploiting VoIP servers for monetization, Ikan said.

“There are many groups on social media in which hackers share technical information on how to conduct such attacks, and advertise their services related to that,” he said.

Losses from global telecoms fraud exceeded $28 billion last year, according to the Communications Fraud Control Association (CFCA). VoIP PBX hacking is one of the top five fraud methods.

Organizations should ensure their VoIP systems are fully patched with the latest updates, Ikan said. Furthermore, they need to monitor their VoIP activity within their network.

“In addition, security products such as intrusion protection system (IPS) provide protections against such threats,” he said.