Compromised VoIP Phones: New Path to Intrusion

Security researchers at Microsoft Threat Intelligence Center disclosed that they discovered an infrastructure of a known cyber adversary that used the popular office IoT Voice over Internet Protocol (VoIP) as a new path to gain initial access to corporate networks.

Researchers at Microsoft Threat Intelligence Center (MSTIC)reported that in April this year, the threat group known as “STRONTIUM” compromised 3 popular office IoT devices, VOIP phone, office printer and video decoder, across multiple customer locations to gain initial access to corporate networks. The researchers found that the said IoT devices were either compromised because the latest security update hadn’t been applied or the default manufacturer’s login details hadn’t been changed.

Once the threat group gained initial access to the corporate network via these compromised devices, the researchers reported that a network scan was conducted to look for other insecure devices. The report added that as the threat group moved from one insecure device to another, a simple shell script was dropped to establish persistence on the network, enabling the attacker to continue hunting across the network in search of higher-privileged accounts that would grant access to critical data.

Analysis of network traffic on these compromised devices showed that these devices were also communicating with external command and control (C2) – referring to infrastructure, a website or a public cloud account, that’s used by attackers to maintain communications with the compromised devices.

The latest discovery that popular office IoT devices, including VOIP phones, office printers and video decoders, are being used as points of ingress to gain initial access to corporate networks adds to the growing list of office IoT devices that are compromised for malicious activities.

According to Microsoft, over the last twelve months, the company had delivered nearly 1,400 notifications to those who had been targeted or compromised by STRONTIUM. Microsoft reported that 20% of the STRONTIUM attacks were directed against non-governmental organizations, think tanks, or politically affiliated organizations worldwide. The remaining 80% of STRONTIUM attacks, meanwhile, were directed against organizations, in the following sectors: IT, education, government, military, defence, medicine and engineering.

The VPNFilter malware has also been attributed to STRONTIUM, also known as APT28 or Fancy Bear, by the U.S. Federal Bureau of Investigation (FBI).

VPNFilter Malware

In May 2018 researchers at Ciscoestimated that at least 500,000 IoT devices in at least 54 countries had been infected with the VPNFilter malicious software (malware).

The known devices affected by VPNFilter are networking equipment, including NETGEAR, MikroTik, Linksys, and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. Researchers at Cisco reported that VPNFilter malware allows monitoring of Modbus SCADA protocols and theft of website credentials.

Infected IoT devices are often used as a botnet – referring to a group of devices infected with the same malware and controlled by an attacker or attackers for malicious activities. In the case of VPNFilter, this malware has a self-destruct capability. According to Cisco researchers, this self-destruct capability can be triggered en masse, that is, affecting all compromised devices, which could result in cutting off internet access for hundreds of thousands of victims worldwide.

According to Cisco researchers, while they’re unsure why hundreds of thousands of IoT devices were infected by the VPNFilter malware, the researchers said most of the devices targeted have known public exploits and known to use default login details, making compromise relatively easy.

Mirai Malware Variants

The different variants of the Mirai malware is another threat to office IoT devices. The earliest version of the Mirai malware compromised wireless cameras and routers and turned these compromised IoT devices into a botnet to perform distributed denial-of-service (DDoS) attacks.

The Mirai is infamous for enslaving hundreds of thousands of wireless cameras and routers and controlling them as a botnet in attacking Dyn, a major dynamic DNS provider. The DDoS attack on Dyn in 2016 resulted in the widespread internet outages across Europe and the U.S.

The original Mirai malware-infected hundreds of thousands of wireless cameras and routers by exploiting the habit of IoT owners of not changing the default login details. The original Mirai, in particular, used 61 factory default login details in infecting IoT devices.

In January 2019, researchers at Palo Alto Networksdiscovered that a variant of the Mirai malware targeted WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs. Like the original Mirai malware, this Mirai variant exploited default login details. The researchers at Palo Alto Networks said that by targeting IoT devices that are used by businesses, malicious actors get larger bandwidth, giving greater firepower for malicious activities such as botnets for DDoS attacks.

Cybersecurity Best Practices

Malicious actors are looking to exploit smaller and simpler devices to further their malicious activities as shown in the recent compromised of office IoT devices such as VoIP phones and the compromised of other office IoT devices via the VPNFilter malware and the Mirai malware variants.

In order to protect your organization’s IoT devices from being used as a pathway to intrusion into your organization’s network or from being exploited as botnets for malicious activities such as DDoS attacks, it’s important to practice these basic cybersecurity practices: change the default login details of IoT devices and install the latest security update. If feasible, it’s also recommended to use a separate network for IoT devices.

We help you achieve a better cybersecurity posture without hiring additional staff. Call today and see how we help companies like yours protect their most important assets with the guaranteed 30-minute response. Call now (416) 920-3000or email

Leave a Reply

Your email address will not be published. Required fields are marked *