Securing network infrastructures remains a paramount concern for businesses, particularly when it comes to VoIP and PBX systems. This blog delves into recent security lapses witnessed in FreePBX systems, specifically focusing on a series of hacking incidents that rattled the community. We always aim to shed light on vulnerabilities exploited, especially against the backdrop of growing cyber threats. Our exploration provides an insightful narrative for decision-makers seeking to fortify their communication systems in the face of relentless cyber challenges.
FreePBX Systems Were Hacked
A disturbing revelation unfolded as it came to light that a number of crosstalk-hosted Free PBX systems had been breached. This nefarious activity first came under the scanner around in August, when the FreePBX firewalls on several systems were unexpectedly disabled in a brief span.
A deeper probe into the matter unveiled that the FreePBX firewalls on several systems were disabled almost concurrently within a brief time window. Given the firewall’s pivotal role in system security, this irregularity set off alarm bell. It has been noted in the past, new module updates had caused issues with the Firewall beforehand so this didn’t cause as big of an alarm initially.
However, the firewall plummeted once again, arousing suspicions among overseers. This repeated occurrence hinted at a potential ongoing unauthorised intrusion.
Warnings of Authorized Key File Alterations
As the quest for more thorough answers was underway, alerts began surfacing about modifications in the authorised key file on some machines—a grave red flag in the security realm.
While the PBX functionality stood unharmed, a malicious cron job on the affected servers was discovered, orchestrating activities like disabling the FreePBX firewall, deleting and adding users, and tampering with the authorised key file. This breach was part of a broader scheme to identify and exploit PHP files for unauthorised access.
Response and Recovery
It was confirmed that a breach did indeed occur. While the PBX functionality stood unharmed, a malicious cron job on the affected servers was discovered, orchestrating activities like disabling the FreePBX firewall, deleting and adding users, and tampering with the authorised key file. This breach was part of a broader scheme to identify and exploit PHP files for unauthorised access.
The immediate recourse involved addressing the vulnerability and orchestrating a recovery of the impacted servers using offsite FTP backups and server snapshots. The recovery endeavour was carried out seamlessly from the customer’s perspective, with all affected patrons kept in the loop throughout the process.
The importance of robust monitoring systems and continuous vigilance in upholding system security is ever-growing. Though the immediate crisis was averted, it underscores the pressing need for a proactive stance in foreseeing and countering such security threats in the future.
UK Government’s Cyber Security Guidance: Cyber security guidance for business – GOV.UK (www.gov.uk)
Cyber Essentials Certification: Getting Certified
National Cyber Security Centre: Guidance and Advice
FreePBX Community Forums: Categories – FreePBX Community Forums