Business VOIP Phone Systems Are Being Hacked for Profit Worldwide. Is Yours Secure?

  • More than 1000 organisations worldwide have had their corporate phone systems hacked by cybercriminals
  • Attackers can eavesdrop on calls, as well as make money-making calls to premium-rate numbers

Security researchers have uncovered an organised gang of cybercriminals who are compromising the VOIP phone systems of over 1000 organisations worldwide.

Research published by Check Point has identified a malicious campaign that has targeted a critical vulnerability in the Sangoma PBX open-source GUI, used to manage installations of Asterisk – the world’s most popular VOIP phone system for businesses.

The vulnerability (known as CVE-2019-19006) can be exploited by an attacker to gain administrator rights over a compromised business phone system, which can be exploited in a variety of ways including making outgoing phone calls without the knowledge of the affected company.

According to researchers, one attack sees hackers earning substantial revenues by making unauthorised calls to premium-rate phone numbers that they may have themselves set up.

Hackers further monetise their compromise of business phone systems by selling phone numbers and access to other criminals. Indeed, private Facebook groups exists where the cybercriminals share information and tools that can assist in a hack.

According to the researchers, examination of the members of the Facebook groups reveal that most of the attackers appear to be based in Gaza, the West Bank and Egypt.

Worryingly, with unrestricted access to a company’s telephone system it is even possible for criminal hackers to eavesdrop on legitimate business calls, launch attacks on third-parties by posing as an employee of the compromised business, or spread their attack laterally further across the corporate network.

The researchers have identified 20 countries who have had corporations targeted by the VOIP phone hackers, with most located in the UK, the Netherlands, and Belgium and working in industries sectors such as government, finance, manufacturing, and the military.

Clearly businesses at risk of having their VOIP phone system exploited in this way need to take steps to better protect themselves.

Preventative measures can include such basic steps as ensuring that a strong password policy is in place, and that unique, strong passwords are used rather than weak or default alternatives.

It is also recommended that administrators analyse their bills carefully, looking for suspiciously high volumes of calls, or unusual call destinations, or at unusual times of the day, especially to premium-rate numbers.

And, it should go without saying, if there is a vulnerability in the software being used by your corporation roll out a patch as a matter of priority. This particular critical vulnerability was first detailed in November 2019, and a patch released for Sangoma PBX.