{
	"id": "3037a61f-b567-4c8a-898c-99d6f77a45df",
	"created_at": "2026-04-06T00:18:27.495376Z",
	"updated_at": "2026-04-10T03:28:44.666584Z",
	"deleted_at": null,
	"sha1_hash": "42b4ed56ad29549f3cbc422b554c14860721caa8",
	"title": "INJ3CTOR3 Operation – Leveraging Asterisk Servers for Monetization - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 95815,
	"plain_text": "INJ3CTOR3 Operation – Leveraging Asterisk Servers for\r\nMonetization - Check Point Research\r\nBy Ori Hamama\r\nPublished: 2020-11-05 · Archived: 2026-04-05 16:41:54 UTC\r\nResearch by: Ido Solomon, Ori Hamama and Omer Ventura, Network Research\r\nIntro\r\nRecently, Check Point Research encountered a series of worldwide attacks relevant to VoIP, specifically to Session\r\ninitiation Protocol (SIP) servers. Based on information provided by our global sensors, there appears to be a\r\nsystematic exploitation pattern of SIP servers from different manufactures. Further exploration revealed that this is\r\npart of a large, profitable business model run by hackers.\r\nHacking SIP servers and gaining control allows hackers to abuse them in several ways. One of the more complex\r\nand interesting ways is abusing the servers to make outgoing phone calls, which are also used to generate profits.\r\nMaking calls is a legitimate feature, therefore it’s hard to detect when a server has been exploited.\r\nDuring our research, we discovered a new campaign targeting Sangoma PBX (an open-source web GUI that\r\nmanages Asterisk).  Asterisk is the world’s most popular VoIP PBX system, and it is used by many Fortune 500\r\ncompanies for telecommunications. The attack exploits CVE-2019-19006, a critical vulnerability in Sangoma,\r\ngranting the attacker admin access to the system.\r\nDuring the first half of 2020, we observed numerous attack attempts on sensors worldwide. We exposed the\r\nattacker’s entire attack flow, from the initial exploitation of CVE-2019-19006 to uploading encoded PHP files that\r\nleverage the compromised system.\r\nIn this article, we first examine the infection vector used by the attacker, as well as the vulnerability exploited. We\r\nthen investigate the threat actors behind the specific campaign. Lastly, we explain their modus operandi.\r\nFigure 1: Inj3ct0r’s attack flow.Figure 1: Inj3ct0r’s attack flow\r\nInfection Vector\r\nAs mentioned in the Introduction, the campaign starts with scanning, continues with exploiting the vulnerability,\r\nand proceeds all the way to web shell installation. Gaining access to the systems allows the hackers to abuse the\r\nservers for their own purposes. CVE-2019-19006 is an Authentication Bypass vulnerability published in\r\nNovember 2019. Check Point Research was able to deduce the vulnerability by examining both the captured\r\nattack traffic and Sangoma’s GitHub repository for FreePBX Framework.\r\nRelevant commits in the FreePBX GitHub repositoryFigure 2: Relevant commits in the FreePBX GitHub\r\nrepository.\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 1 of 14\n\nIn vulnerable versions of Sangoma FreePBX, the authentication function works by first setting a session for the\r\nsupplied username, and removes the session setting if the supplied password does not match the one stored in the\r\ndatabase. Additionally, FreePBX does not perform input sanity on the password parameter during the login\r\nprocess. By sending the password query parameter as an array element, attackers can cause the authentication\r\nfunction to fail before the session is unset, thereby retaining a legitimate session for the chosen username, admin\r\nincluded.\r\nCVE-2019-19006 Proof of Concept.\r\nFigure 3: CVE-2019-19006 Proof of Concept.\r\nIssuing the above request to a vulnerable FreePBX server allows the attackers to log in as the admin user. The\r\nvalue of ‘password’ does not matter, as the vulnerability depends on sending the parameter as an array element,\r\n‘password[0]’.\r\nAttack Flows\r\nThe attack begins with SIPVicious, a popular tool suite for auditing SIP-based VoIP systems. The attacker uses the\r\nsvmap module to scan the internet for SIP systems running vulnerable FreePBX versions. Once found, the attacker\r\nexploits CVE-2019-19006, gaining admin access to the system.\r\nFigure 4: The attacker exploits CVE-2019-19006.\r\nAfter bypassing the authentication step, the attacker uses the asterisk-cli module to execute a command on the\r\ncompromised system and uploads a basic PHP web shell encoded in base64.\r\nFigure 5: The attacker uploads the initial web shell. The Referer header points to a previous web shell version that\r\ndoes not exist on the server\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 2 of 14\n\nFigure 6: The attacker’s initial web shell.\r\nAt this point, the attack diverges into two separate flows.\r\nFirst Flow\r\nFigure 7: The first attack flow.\r\nIn the first flow, the initial web shell is used to retrieve the contents of Asterisk management files\r\n/etc/amportal.conf and /etc/asterisk/sip_additional.conf. These contain the credentials to the FreePBX system’s\r\ndatabase and passwords for the various SIP extensions. This effectively gives the attackers access to the entire\r\nsystem and the ability to make calls out of every extension. Using the compromised Asterisk system, they then\r\niterate over various prefixes for outgoing calls and try to call a specific phone number, possibly one of their own,\r\nin order to see which prefix they can use.\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 3 of 14\n\nFigure 8: The attacker’s call routine\r\nNext, the attackers use the web shell to download a base64-encoded PHP file from Pastebin. This file is padded\r\nwith garbage comments—that when decoded, result in a password-protected web shell, which is also capable of\r\nretrieving the credentials to the Asterisk Internal Database and REST Interface. The attackers also attempt to\r\nremove any previous versions of their files.\r\nFigure 9: Password protection in the web shell.\r\nSecond Flow\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 4 of 14\n\nFigure 10: The second attack flow.\r\nThe second flow also uses the initial web shell to download a base64-encoded PHP file. Decoding this file results\r\nin another web shell that is not only password-protected, but also employs access-control in the form of source IP\r\nvalidation and returns a fake HTTP 403 Forbidden message to unauthorized users.\r\nFigure 11: Password protection and IP access control in the web shell.\r\nThe attackers then use the new web shell to perform the following actions:\r\n1. Download and save a PHP file as ‘/tmp/k’ which in turn drops ‘/var/www/html/admin/views/config.php’ to\r\nthe disk. This is another base64-encoded PHP file, again padded with subordinate comments. When\r\ndecoded, it is a password-protected web panel. This panel lets the attackers place calls using the\r\ncompromised system with both FreePBX and Elastix support, as well as run arbitrary and hard-coded\r\ncommands.\r\nFigure 12: The attacker’s web panel.\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 5 of 14\n\nThe file also appends data to ‘/var/www/html/admin/views/.htaccess’ which allows access to config.php\r\nfrom other URIs, e.g. ’\u003cserver-url\u003e/config’ instead of ’\u003cserver-url\u003e/admin/views/config.php’\r\nFigure 13: Data appended to .htaccess.\r\n2. Update FreePBX Framework, possibly to patch CVE-2019-19006.\r\n3. Download a shell script from ‘http://45[.]143.220.116/emo1.sh’.\r\nThe URL returns an HTTP 404 Not Found error, and so its purpose is currently unknown.\r\n4. Create a new directory at ‘/var/www/html/freeppx’ and move all files used in the attacks there.\r\nThreat Actor\r\nOur global sensors helped us obtain unique strings during the exploitation of CVE-2019-19006. When we\r\nsearched for some of these strings, such as “rr.php” and “yokyok” (first seen in Figures 5 and 6), we found a script\r\nposted online to Pastebin.\r\nFigure 14: The first lines of the script uploaded by the user INJ3CTOR3. The exploit payload and\r\nthe initial web shell match the attacks detected by our sensors.\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 6 of 14\n\nThe script contains the initial web shell upload and exploits the same vulnerability. Its uploader, “INJ3CTOR3”,\r\nhas uploaded additional files in the past, including authentication logs and a brute-force script. In addition, we\r\nfound this name appears in an old SIP Remote Code Execution vulnerability (CVE-2014-7235) in the public\r\nsources.\r\nPerhaps purposely, the threat actor left a “calling card” using the name “inje3t0r3-seraj”, which appears to be a\r\nvariation of the Pastebin script uploader’s name. The string was set as the value of the password parameter in the\r\nmalicious request sent to the Asterisk servers. As mentioned above, the value of ‘password’ does not matter.\r\nFigure 15: “Inj3ct0r3-Seraj” sent as part of the exploitation of CVE-2019-19006.\r\nThrough further investigation, the names eventually led to multiple private Facebook groups that deal with VoIP,\r\nand more specifically, SIP server exploitation. The “voip__sip__inje3t0r3_seraj” group is the most active one,\r\nsharing admins with different relevant groups, including an admin named “injctor-seraj-rean”.\r\nFigure 16: Many admins are active in multiple groups.\r\nThe group shares a number of tools related to SIP server exploitation: scanners, authentication bypass, and remote\r\ncode execution scripts. Among these scripts, we found a variant of the brute-force script seen in the Pastebin of\r\nINJ3CTOR3.\r\nThe group’s main purpose is to sell phone numbers, calls plans, and live access to VoIP services compromised as\r\npart of the Inj3ct0r attacks.\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 7 of 14\n\nThe Wide Phenomenon\r\nExamining the content, users and different posts published in the previously mentioned Facebook groups\r\nexpanded our research. The different leads collected in the social networks led us to the conclusion that SIP\r\nattacks are quite common, particularly in the Middle East. Closely examining the profiles of the admins, active\r\nusers, and carriers seen in the different groups, we found that most of them were from Gaza, the West-Bank and\r\nEgypt.\r\nWe found several relevant players in the field who have published sales posts, tools and websites. Gathering more\r\ninformation about the groups they manage and relevant rooms and channels they own led us to additional\r\ndiscoveries.\r\nThe initial findings were tutorials for how to scan, gather information on relative servers, and use exploitation\r\nscripts. The instructions simplify the process to a level where anyone can do it. Perhaps as a result, there seems to\r\nbe a large and growing community involved in hacking VoIP services.\r\nAlthough this can explain the infection chain, there is still a question about motivation. A further analysis led not\r\nonly to the surprise that the attacks on SIP servers occur on a larger scale than initially thought, but also that there\r\nis a profound underlying economic model:\r\nFigure 17: The modus operandi of the SIP hackers.\r\nThe flow chain above explains the operation model in generalized terms. However, this does not mean that all the\r\nattackers use the same tools and vulnerabilities. For instance, not all stages must be performed for an attacker to\r\ngain control of a compromised SIP server.\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 8 of 14\n\nRelevant IP Ranges\r\nThe very beginning of the process is when a hacker creates a list of relevant IPs per country that are currently\r\n“up.” This not only narrows the scope of the scans performed in a later stage, but also helps hone in on the\r\ndifferent countries in which the hacker is interested.\r\nFigure 18: Hackers generate lists of relevant IPs per country.\r\nThis step can usually be omitted by using smarter scanning techniques or knowledge sharing between different\r\ngroups.\r\nScans and targets list\r\nAfter the initial lists are created, the scanning stage begins. Various relevant scanners are available for this task,\r\nwith the most common one being “SIPvicious.” The hackers obtain information relevant to the scanned devices,\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 9 of 14\n\nsuch as versions, that will be used in later stages. During further analysis of the different conversations, we\r\nobserved the exchange of such IPs lists and scanning scripts in different forums that discuss SIP hacking.\r\nFigure 19: SIP hacking group. Tools, such as the scanner seen above are published among the\r\ngroup’s members. Most of the group’s members seem to be Arabic speakers.\r\nFigure 20: IPs List scanned by a hacker as presented in a hacking tutorial published in the telegram\r\ngroup. The FPBX GUI is seen in the background.\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 10 of 14\n\nAttempting to compromise SIP servers and gaining control\r\nBased on information gathered in previous stages, hackers try to exploit relevant vulnerabilities to gain control of\r\nthe servers. In case of missing information, or unsuccessfully bypassing system protections, the hackers may\r\nresort to brute force.\r\nAdditional vulnerabilities relevant to VoIP, besides the one used in the INJ3CTOR3 campaign (CVE-2019-19006),\r\nwere found referenced in different conversations. Moreover, members share knowledge of usernames and\r\npasswords lists, with relevant tools for hacking the systems.\r\nIf hackers successfully gain control of the system – by exploiting vulnerabilities, brute forcing the way in or using\r\ngiven information – the next goal is gaining persistence on the system. This can be achieved by uploading web\r\nshells to continue communicating with the system. In the INJ3CTOR3 campaign, we saw a few web shells used in\r\nseveral different steps, for different functionalities.\r\nUsing the servers for profit\r\nFinally, after gaining a foothold on the exploited servers, the attacker can then make calls to any desired numbers.\r\nA possible common usage is using the exploited servers to make calls to International Premium Rate Numbers\r\n(IPRN).\r\nWhen an IPRN is called, the caller is paying the owner of the IPRN per minute, the amount of which depends on\r\nthe caller’s origin country. There are companies that provide a range of IPRN numbers in different plans.\r\nFigure 21: An example of the rates table taken from a demo service. This includes the prices, the\r\nrelevant country and a relevant test numbers.\r\nWith enough traffic, this model can provide sufficient profit to cover the IPRN costs. For that reason, IPRN\r\nservices are often used in businesses that put callers on hold, or have many clients (i.e. premium content calls).\r\nThe longer the clients stay on the line, the more money the company owning the IPRN receives.\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 11 of 14\n\nFigure 22: A premium number demo-dashboard. Statistics, earnings and information per each of the numbers are\r\nseen in the interface.\r\nFor these reasons, hackers seem to be focused on IPRN programs. Using IPRN programs not only allows the\r\nhacker to make calls but also abuse the SIP servers to generate profits. The more servers exploited, the more calls\r\nto the IPRN can be made.\r\nIn other words, hackers are considered to be a relevant market to buy IPRN plans. Thus, many posts on IPRN\r\nsales can be seen on these forums and pages. We encountered many such posts by several different IPRN\r\nproviders:\r\nFigure 23: Two of many posts that sell IPRN in different\r\nAttack Impact\r\nAs mentioned previously, the attackers’ end goal is to sell outgoing calls from the compromised systems, as well\r\nas access to the systems themselves.\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 12 of 14\n\nUnrestricted access to a company’s telephone system can allow the attackers and their customers to make calls\r\nusing the compromised company’s resources and eavesdrop on legitimate calls. They can also use the\r\ncompromised systems for further attacks, such as using the system resources for cryptomining, spreading laterally\r\nacross the company network, or launching attacks on outside targets while masquerading as the compromised\r\ncompany.\r\nConclusion\r\nThe campaign at hand utilizes an easily exploitable vulnerability to compromise Asterisk SIP servers around the\r\nworld. In-depth details regarding the vulnerability were never publicly released, yet the threat actors behind the\r\nattack managed to weaponize and abuse it for their own gain. As our research shows, the threat actors, who are\r\nlocated in the Palestinian Gaza Strip, share and sell their scripts. This is a phenomenon of an established operation\r\nthat sets the attacks, finds the targets, and initiates the traffic to premium rate service numbers in order to inflate\r\ntraffic and gain revenue. It’s not too far-fetched to assume that different attackers might use those scripts to launch\r\ntheir own attacks against Asterisk servers in the future.\r\nThis attack on Asterisk servers is also unusual in that the threat actors’ goal is not only to sell access to\r\ncompromised systems, but also use the systems’ infrastructure to generate profits.  The concept of IPRN allows a\r\ndirect link between making phone calls and making money. This means that further attacks can be launched from\r\nthese systems.\r\nProtections\r\nCheck Point customers are protected by these IPS protections:\r\nSIPVicious Security Scanner\r\nSangoma FreePBX Authentication Bypass (CVE-2019-19006)\r\nCommand Injection Over HTTP\r\nCommand Injection Over HTTP Payload\r\nIOCs\r\nFiles:\r\necc5a8b0192995673bb2c471074a3326bbeba431e189654c90afaddf570fb514\r\n8068cf1011f8668f741e2ec61676fa9ce6a23e62ee5b3bdf014540cff06b1ebe\r\nd8ab22ceab199512aaada36af245d6621208d887ae0b6510fa198d6075777043\r\nc3b805ffe6c988db4c8843625ab2f40cb5196935e727db658b68408b7965de59\r\n7c6cf2e4badbc3d4d29f4e6ed118a77d5f6e0f819244ad25b760329f25f20dd1\r\nf1060a686155fbbe7274073c557c24648cdf30a3f3ef2cbb184ccfc41d99fd3b\r\nHosts:\r\n5[.]133.27.47\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 13 of 14\n\n37[.]61.220.243\r\n40[.]85.249.243\r\n45[.]143.220.115\r\n45[.]143.220.116\r\n46[.]161.55.107\r\n62[.]112.8.162\r\n77[.]247.110.91\r\n80[.]68.56.82\r\n84[.]111.36.159\r\n92[.]42.107.139\r\n134[.]119.213.127\r\n134[.]119.213.195\r\n134[.]119.214.141\r\n134[.]119.218.49\r\n151[.]106.13.150\r\n151[.]106.13.154\r\n151[.]106.13.158\r\n151[.]106.17.146\r\n156[.]95.156.75\r\n156[.]96.59.63\r\n185[.]53.88.198\r\n185[.]132.248.54\r\n212[.]83.189.43\r\nReferences\r\nhttps://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass\r\nhttps://github.com/FreePBX/framework/commit/4e4675d9a8c0cb5ff8891aa1b51889a8b845502f\r\nhttps://packetstormsecurity.com/files/author/12734/\r\nSource: https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nhttps://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/"
	],
	"report_names": [
		"inj3ctor3-operation-leveraging-asterisk-servers-for-monetization"
	],
	"threat_actors": [
		{
			"id": "07d5d8cf-7a15-47de-a1b7-a3333f064290",
			"created_at": "2026-02-07T02:00:03.660294Z",
			"updated_at": "2026-04-10T02:00:03.959064Z",
			"deleted_at": null,
			"main_name": "INJ3CTOR3",
			"aliases": [],
			"source_name": "MISPGALAXY:INJ3CTOR3",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434707,
	"ts_updated_at": 1775791724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/42b4ed56ad29549f3cbc422b554c14860721caa8.pdf",
		"text": "https://archive.orkl.eu/42b4ed56ad29549f3cbc422b554c14860721caa8.txt",
		"img": "https://archive.orkl.eu/42b4ed56ad29549f3cbc422b554c14860721caa8.jpg"
	}
}