Asterisk: a targeted VOIPspionage campaign

Presented at VB2019, Oct. 4, 2019, noon (30 minutes)

Espionage attacks using cyber weapons are usually associated with the stealing of data and intellectual property. The attack that it the subject of this paper reminds us of a forgone espionage technique - wiretapping. While most research labs nowadays are tuned to uncover info-stealing attacks, identified by a malware capable of exfiltrating sensitive data such as quarterly reports and credentials, we were able to uncover a threat actor who is after our business calls. The attack targets one of the biggest pieces of open-source software that operates on PBX (Private Exchange Branch) servers, called *Asterisk*. With 2M downloads per year, *Asterisk* is one of the most popular VoIP PBX free programs used by industries and companies worldwide to manage and distribute internal phone extensions and calls between telecommunication endpoints. The infection vector is a customized PHP WebShell, which is weaponized with new techniques targeting the *Asterisk* internal configuration files and databases - the same databases that hold all of the calls' metadata as well as the recordings of the calls. And here is dissonance: while PHP WebShell is not the most sophisticated technique, and the victims' characteristics are largely civilian, wiretapping is something that is usually coupled with nation-state attacks. In our presentation we will try to shade more light on the business model and the threat actor behind this attack. We will address the motive of the attacks, and the techniques used to make this attack a success. Of course, we will also share with the audience relevant TTPs and IoCs. ### Related links * [Virus Bulletin 2019: VoIP Espionage Campaign Hits U.S. Utilities Supplier](https://threatpost.com/voip-espionage-campaign-utilities-supplier/148916/) (*Threatpost*) * [This mysterious hacking campaign snooped on a popular form of VoiP software](https://www.zdnet.com/article/this-mysterious-hacking-campaign-is-snooping-on-a-popular-form-of-voip-software/) (*ZDNet*)

Presenters:

• Oded Awaskar - Check Point
  Oded Awaskar Oded has been working in the network and information security industry for more than a decade. Over the years he has specialized in cybersecurity operation, managing SOC and security teams both of start-ups and large corporations. Apart of doing security, Oded also teaches security. He holds cybersecurity courses, for professionals as well as for children. To tell the truth, this is his real passion. Oded joined Check Point in 2018 and currently leads a team in the Intelligence Group.
• Lotem Finkelstein - Check Point
  Lotem Finkelstein Equipped with years of experience in the field of threat intelligence from his former role as a Major Officer in the Intelligence Forces of Israel, Lotem joined Check Point's Threat Intelligence and Research organization four years ago. While he was completing his B.Sc. degree in communication system engineering at Ben-Gurion University, Lotem took on several roles as malware analyst and a team leader at Check Point. During 2018 Lotem took over the threat intelligence department at Check Point, focusing his efforts on pinpointing attacks and uncovering large-scale operations. @Lotemfi

Links:

• https://www.virusbulletin.com/conference/vb2019/abstracts/asterisk-targeted-voipspionage-campaign

Similar Presentations:

• DEF CON 15 (2007) / Z-Phone
• May Contain Hackers (MCH2022) / Getting started with VoIP and Asterisk
• Notacon 2 (2005) / Asterisk, VoIP For The Masses