Linux Malware Targets VoIP Networks to Steal Metadata

A recently uncovered Linux malware variant dubbed “CDRThief” is targeting VoIP networks to steal phone metadata, such as IP addresses, according to an analysis from the security firm ESET.

The origins of CDRThief are unknown, but ESET suspects the malware may be designed for cyberespionage because it can sweep up phone call metadata.

The malicious code might also be used for a type of phone scam called International Revenue Share Fraud, which allows fraudsters to run up a huge phone bill for victims by making calls to premium numbers, according to the report. By taking over an organization’s phone network, hackers can place hundreds of calls to these premium numbers and take a cut of the profits, with one study noting these schemes can cost businesses up to $4 billion in yearly losses.

“It’s hard to know the ultimate goal of attackers who use this malware,” Anton Cherepanov, an ESET researcher, notes in the report. “However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage. Another possible goal for attackers using this malware is VoIP fraud.”

Cherepanov says it’s difficult for researchers to determine if the ongoing CDRThief malware campaign is widespread. But most of the activity seems to be in Asia.

“Usually targeted [VoIP] devices don’t have any security software installed, so it’s hard to say how many compromised devices are out there,” Cherepanov tells Information Security Media Group.

How CDRThief Works

The malware targets VoIP softswitches that run off of Linux-based servers, ESET reports. A softswitch is software central to telecom networks that connects calls from one phone line to another – either across the network or through the internet.

In this campaign, the malware is only targeting two types of VoIP softswitch platforms made by Chinese firm Linknat – VOS2009 and VOS3000.

It’s unclear how the malware initially infects these VOIP systems, but it might be possible for the attackers to use a brute-force attack or exploit vulnerabilities in the platforms developed by Linknat, according to the ESET report. “Such vulnerabilities in VOS2009/VOS3000 have been reported publicly in the past,” Cherepanov notes.

Once inside the targeted network, CDRThief exfiltrates VoIP data by accessing the internal data stored in the network’s MySQL database, according to ESET.

The malware then reads credentials from the Linknat VOS2009 and VOS3000 configuration files and queries the MySQL databases used by the Linknat to access the metadata, such as IP addresses of callers and recipients, starting time of the call, call duration and calling fees, the report notes.

Unlike other Linux malware, CDRThief is designed to only exfiltrate data; it does not have support for features, such as shell command execution or exfiltrating specific files. This leads Cherepanov to believe malware is still under development.

VoIP-Enabled Campaigns

Although malware campaigns attempting to steal VoIP data are relatively rare, attackers have been known to use advanced social engineering to enable espionage using VoIP data.

In 2016, an independent security researcher warned many VoIP devices built by Cisco and Snom could be easily exploited (see: VoIP Phones: Eavesdropping Alert).

In May 2019, Facebook warned users of its WhatsApp messaging app to immediately fix a buffer overflow vulnerability in its VoIP stack that was being used to remotely install surveillance software (see: Attackers Exploit WhatsApp Flaw to Auto-Install Spyware).

Source: BankInfoSecurity

About Telecoms-Channel is your one-stop source for the latest news and insights from the telecoms industry in South Africa, where you get comprehensive coverage of the industry and keep up with the ever-evolving market landscape.

Whether you need to understand market trends, identify new opportunities, or stay informed of the latest developments, we have you covered.

In addition to bringing the best news together, we have access to an extensive supplier network that makes it easy for any telecoms company looking to tap into new markets or enter the telecoms industry. Take advantage of our expertise and contact us today to find your next partner!

Other posts you might be interested in

Ericsson LG
Industry News

Ericsson-LG’s Key Trends Shaping the Future of Enterprise Communication

Ericsson-LG is at the forefront of transforming the business communications landscape. By harnessing the power of artificial intelligence, cloud technology, and robust cybersecurity, the company is empowering businesses to enhance productivity, streamline operations, and improve customer experiences.

Cloud PBX Solutions

Request Once, Get Multiple Quotes - Save Thousands!