Hello and welcome to the Thursday, September 29th, 2020 edition of the Sands and its Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from, well, somewhat rainy and windy Jacksonville, Florida. Usually when we talk about miscreants distributing malware or attacking systems, well, we often talk

about compromised systems, servers that are used to host malware or serve as an attack platform,

or in some cases just a proxy. But these days, there's another resource that may even be

more valuable, a legitimate phone number.

Telcos and the U.S. federal government are working on ways to make it better to block some of these spam and malicious calls and messages you receive on your phone.

But for an attacker, the best way to bypass all of this is if they can get a hold

of a phone number that has some history that is known as non-malicious. Similar to attackers,

hijacking sometimes these small business websites and such. It have been around forever,

have been unremarkable, but that's

part of it. They have no malicious history. So in the last year, so we have documented a number

of ways how attackers acquire access to phone numbers, for example, looking for environment

variables that hold credentials to services like Twilio, for example,

or sometimes just brute forcing credentials for a voice over IP PBX. Today I noticed another method

built around a very old flaw in V-Tiger. It's an open source customer relationship management

system.

The flaw is 10 years old.

I think it has been patched.

At least, V-Tiger has been updated a few times since then and appears to be actively maintained.

But appears that this flaw is still interesting enough to use.

And it's a simple directory traversal attack and being used in order to steal asterisk configuration files. Customer relationship management systems often sort of interface

with voice over IP, ppxs. So that's probably why they're expecting these asterisk configuration files on the same

server.

...