Bugs in Grandstream Gear Lay Open SMBs to Range of Attacks (Mar 25, 2019)
Several vulnerabilities have been discovered in various network products from Grandstream that could allow for remote code execution (RCE) by unauthorised users, the installation of malware, and eavesdropping on the devices. If a threat actor is able to compromise a device such as an IP PBX, conferencing gear, or an IP phone, via one of the vulnerabilities, they could then scan the device and the network it is on, install Remote Access Trojans (RATs), access the microphone or camera on said device, and spread within the network. This has the potential to be extremely dangerous for organisations, as an actor could use the vulnerabilities to spy on confidential company calls in boardrooms, record conversations in office rooms, take photos via the camera, and others.
Recommendation: A patch has been released by Grandstream for the GAC2500 audio-conferencing unit, so it is crucial to apply it immediately. However, the patch does not fix the unauthenticated RCE vulnerabilities so devices can still be vulnerable. Until a comprehensive patch is released by Grandstream, users can disable the web interface on the device to stop an exploit from working in the meantime.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.