Asterisk: a targeted VOIPspionage campaign

Friday 4 October 12:00 - 12:30, Green room

Lotem Finkelstein (Check Point)
Oded Awaskar (Check Point)

Espionage attacks using cyber weapons are usually associated with the stealing of data and intellectual property. The attack that it the subject of this paper reminds us of a forgone espionage technique – wiretapping.

While most research labs nowadays are tuned to uncover info-stealing attacks, identified by a malware capable of exfiltrating sensitive data such as quarterly reports and credentials, we were able to uncover a threat actor who is after our business calls.

The attack targets one of the biggest pieces of open-source software that operates on PBX (Private Exchange Branch) servers, called Asterisk. With 2M downloads per year, Asterisk is one of the most popular VoIP PBX free programs used by industries and companies worldwide to manage and distribute internal phone extensions and calls between telecommunication endpoints.

The infection vector is a customized PHP WebShell, which is weaponized with new techniques targeting the Asterisk internal configuration files and databases - the same databases that hold all of the calls' metadata as well as the recordings of the calls.

And here is dissonance: while PHP WebShell is not the most sophisticated technique, and the victims' characteristics are largely civilian, wiretapping is something that is usually coupled with nation-state attacks.

In our presentation we will try to shade more light on the business model and the threat actor behind this attack. We will address the motive of the attacks, and the techniques used to make this attack a success. Of course, we will also share with the audience relevant TTPs and IoCs. 

 Related links



Lotem Finkelstein

Equipped with years of experience in the field of threat intelligence from his former role as a Major Officer in the Intelligence Forces of Israel, Lotem joined Check Point's Threat Intelligence and Research organization four years ago. While he was completing his B.Sc. degree in communication system engineering at Ben-Gurion University, Lotem took on several roles as malware analyst and a team leader at Check Point. During 2018 Lotem took over the threat intelligence department at Check Point, focusing his efforts on pinpointing attacks and uncovering large-scale operations.




Oded Awaskar

Oded has been working in the network and information security industry for more than a decade. Over the years he has specialized in cybersecurity operation, managing SOC and security teams both of start-ups and large corporations. Apart of doing security, Oded also teaches security. He holds cybersecurity courses, for professionals as well as for children. To tell the truth, this is his real passion. Oded joined Check Point in 2018 and currently leads a team in the Intelligence Group.

Back to VB2019 Programme page

Other VB2019 papers

Operation Soft Cell - a worldwide campaign against telecommunication providers

Amit Serper (Cybereason)
Mor Levi (Cybereason)
Assaf Dahan (Cybereason)

A vine climbing over the Great Firewall: a long-term attack against China

Lion Gu (Qi An Xin Threat Intelligence Center)
Bowen Pan (Qi An Xin Threat Intelligence Center)

Buhtrap metamorphosis: from cybercrime to cyber espionage (partner presentation)

Anton Cherepanov (ESET)
Jean-Ian Boutin (ESET)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.