Recently discovered malware targets two specific Voice over IP (VoIP) software switches (softswitch) that if compromised could give cyber attackers access to a user’s private phone data, an ESET security report said.
The bug, dubbed CDRThief, invades China-made software switches Linknat VOS2009 and VOS3000, the Slovakia-based anti-virus and firewall provider said. Softswitches are software-based solutions that run on Linux servers and are central to a VoIP network for control, billing and management functions.
A compromised softswitch can enable the attacker to exfiltrate private data, including call detail records containing metadata such as caller and callee IP addresses, starting time and duration of the call, fees and other data, Anton Cherepanov, ESET senior malware researcher, said in a blog post. The malware queries internal MySQL databases used by the softswitch to steal the metadata, he said.
The malware can be deployed to any location on the disk under any file name, according to ESET. At this point, the security company's researchers do not know exactly how the malware is deployed onto compromised devices but figures that the hackers may gain access through a brute-force attack or by exploiting a vulnerability. While CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk, those functions could be introduced in a future version, Cherepanov said.
The identity of the malware authors is not yet known.
“We rarely see VoIP softswitches targeted by threat actors,” Cherepanov said. “It’s hard to know the ultimate goal of attackers who use this malware. However, since this malware exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage. Another possible goal for attackers using this malware is VoIP fraud,” he said.