Cyber Incident Victim: US-based server owned by an engineering company in the oil, gas, and chemical industries
Date:
Feb 2018
Location:
United States of America
Summary
A hacking campaign targeted a US-based engineering firm serving the oil, gas, and chemical sectors by exploiting vulnerabilities in Asterisk FreePBX VoIP software. Attackers deployed a custom PHP web shell to gain remote control of the server, enabling unauthorized access to call metadata, recorded conversations, and the ability to spoof calls appearing legitimate. The compromise allowed extensive surveillance capabilities, including monitoring communication patterns and extracting sensitive audio data, while obscuring traces of specific malicious activities conducted through the compromised system.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The hacking campaign targeting Asterisk FreePBX VoIP systems began with reconnaissance activity between February and July 2018, when attackers scanned over 600 global companies using this open-source telephony software. Following a months-long dormant period, the operation resumed in 2019 with a focused attack on a U.S. engineering firm providing services to oil, gas, and chemical industries. Attackers compromised the company's Asterisk server by deploying a custom-built PHP web shell that exploited known vulnerabilities in the system. This intrusion granted remote control equivalent to physical access to the server's keyboard and mouse, enabling execution of arbitrary commands across directories.
The attackers extracted call metadata detailing communication histories, timestamps, and participant information from compromised systems. When administrators had enabled call recording features—a common practice for auditing—attackers accessed and exfiltrated audio recordings of conversations. The web shell facilitated file uploads, downloads, and command execution, allowing comprehensive data collection. Attackers additionally leveraged the compromised server to spoof calls appearing legitimate by mimicking authenticated user numbers. Operational security measures obscured which specific calls were spoofed or intercepted post-compromise. Check Point researchers disclosed findings to Asterisk, noting vulnerabilities enabling the attack had been patched prior to campaign detection. The incident exposed sensitive communications data with potential espionage value given the victim’s industrial sector affiliations.