Top Highlights
- A hacker group called INJ3CTOR3 is actively exploiting FreePBX systems with a sophisticated six-layer persistence mechanism, using a newly discovered PHP webshell called JOMANGY to maintain embedded control even after attempts at cleanup.
- The campaign targets over 3,000 exposed VoIP systems, exploiting known vulnerabilities (CVE-2025-64328 and CVE-2025-57819) to establish reinfection pathways, with many systems remaining infected months after disclosure.
- INJ3CTOR3 deploys multiple hidden backdoor accounts, webshells, and a resilient command-and-control infrastructure to facilitate toll fraud and call routing schemes, extracting financial gains at the victims’ expense.
- The infection’s persistence is reinforced through six interconnected channels—including scheduled polling, code injection, immutable stored crontabs, process watchdogs, and privileged command execution—making it extremely difficult to eradicate fully.
What’s the Problem?
A cyberattack orchestrated by the hacker group INJ3CTOR3 targeted over 3,000 FreePBX systems, which are open-source phone management interfaces used by businesses. Using a newly identified PHP webshell called JOMANGY, they infiltrated these VoIP systems through known vulnerabilities, specifically CVE-2025-64328 and CVE-2025-57819, despite patches being available. The attackers employed a sophisticated six-layer persistence method, ensuring their access remained embedded even if system patches were applied. These layers included polling command-and-control servers, injecting code during system login, storing immutable backups, deploying webshells across multiple paths, and maintaining backdoor accounts with high privileges. The primary motive was toll fraud—routing calls through premium numbers and charging victims’ carriers—rather than data theft or ransomware. Security analysts from Cyble, who discovered and reported this campaign, highlighted the complexity and resilience of the infection, noting that over 700 infected systems remained compromised five months after public disclosures. The attack’s persistence and stealthy design underscore the persistent threat to VoIP infrastructure, especially when vulnerabilities are not promptly and thoroughly addressed.
Risk Summary
The issue “Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems” poses a serious threat to your business’s communication infrastructure. When hackers gain access, they implement complex, multi-layered tactics that are difficult to detect and remove. This persistence allows them to stay hidden within your system, even after initial breaches are addressed. As a result, sensitive data and customer information are at high risk. In the long run, this can lead to financial losses, damage to your reputation, and operational disruptions. Moreover, if your phone systems are compromised, your ability to serve clients efficiently is hindered. Ultimately, without proper security measures, your entire business can be vulnerable to ongoing cyber threats, making it crucial to safeguard your systems proactively.
Possible Actions
Timing is crucial when hackers employ layered persistence techniques on compromised FreePBX systems, as delayed response can lead to prolonged unauthorized access, data breaches, and further system damage, underscoring the need for swift and effective remediation.
Immediate Isolation
Quickly disconnect affected systems from networks to prevent further intrusion and data exfiltration.
Thorough Investigation
Conduct comprehensive forensic analysis to identify all access points, malicious modifications, and embedded persistence mechanisms.
Credential Reset
Change all compromised accounts’ passwords and revoke unauthorized user access rights to eliminate attacker footholds.
System Updates
Apply the latest patches and updates to the FreePBX platform and underlying operating system to close vulnerabilities exploited by hackers.
Malware Removal
Utilize specialized tools to scan and remove malicious code, backdoors, and hidden persistence layers embedded within system files.
Configuration Review
Audit system configurations, including call routing and user permissions, ensuring they align with security best practices.
Enhanced Monitoring
Implement continuous monitoring solutions for real-time detection of unusual activity and signs of further compromise.
Restore and Reinforce
Restore the system from a clean backup, and reinforce security controls, such as multi-factor authentication and intrusion detection systems, to prevent recurrence.
Explore More Security Insights
Explore career growth and education via Careers & Learning, or dive into Compliance essentials.
Understand foundational security frameworks via NIST CSF on Wikipedia.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
