VoIP Mailing List Archives

[steven.r.mccann at gma...]

Hello,

I'm investigating a situation where there was a hundreds of minutes of calls from an internal SIP extension to an 855 number in Cambodia, resulting in a crazy ($25,000+) bill from the phone company. I'm investigating, but can anyone provide some feedback on what's happened here? I'm investigating how this happened as well as what types of arrangements can be made with the phone company (CenturyLink in Texas).


Some details:
* PBX is located in Texas
* Phone carrier is CenturyLink
* FreePBX distro running asterisk 1.8.14
* source SIP extension is Mitel 5212, firmware 08.00.00.04, default admin password (argh!). Phone is used by many different people.


More PBX setting details:
* inbound SIP traffic is not allowed through the firewall
* internal network is not accessed by many
* FreePBX web interface 


Questions I have at this moment:
1) how were the calls placed? Was the Mitel SIP phone hacked somehow? Asterisk PBX?
2) how does this typically get sorted out with the phone company? they are charging $6.25 per minute for the Texas to Cambodia calls. The phone system owners are at fault, but how have these situations worked out in the past?


I'll be tightening things up, but any feedback is appreciated.


Thanks,
Steve

[EWieling at nyigc.com]

I’ve seen the following exploits of Asterisk / FreePBX boxes:

<![if !supportLists]>1) <![endif]>Default PlcmSpIp username and password for Polycom provisioning
<![if !supportLists]>2) <![endif]>Insecure SIP usernames and secrets
<![if !supportLists]>3) <![endif]>FreePBX GUI accessable from the internet
<![if !supportLists]>4) <![endif]>OS remote exploit (maybe ssh/ssl exploit)

Mitigation options:
<![if !supportLists]>1) <![endif]>Don’t use an easy to guess or default password on provisioning servers.
<![if !supportLists]>2) <![endif]>Use secure secrets.  Users never enter the secret so we use a 32 char random string of characters for the password
<![if !supportLists]>3) <![endif]>Don’t allow connections to port 80 from off-site.
<![if !supportLists]>4) <![endif]>Make sure your OS and SSH/SSL is updated packages are updated.

Contact your carrier and ask about any possible fraud detection.    Verizon SIP service has that feature.   I don’t think Level 3 has.   Don’t know about CenturyLink.   I also recommend locking down the system very tight with IP tables – only allow whitelisted traffic rather than only blocking blacklisted traffic.

Fraud is a constant issue for everyone.


From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Steven McCann
Sent: Wednesday, January 28, 2015 4:03 PM
To: asterisk-users@lists.digium.com
Subject: [asterisk-users] Investigating international calls fraud


Hello,


I'm investigating a situation where there was a hundreds of minutes of calls from an internal SIP extension to an 855 number in Cambodia, resulting in a crazy ($25,000+) bill from the phone company. I'm investigating, but can anyone provide some feedback on what's happened here? I'm investigating how this happened as well as what types of arrangements can be made with the phone company (CenturyLink in Texas).



Some details:

* PBX is located in Texas

* Phone carrier is CenturyLink

* FreePBX distro running asterisk 1.8.14

* source SIP extension is Mitel 5212, firmware 08.00.00.04, default admin password (argh!). Phone is used by many different people.



More PBX setting details:

* inbound SIP traffic is not allowed through the firewall

* internal network is not accessed by many

* FreePBX web interface



Questions I have at this moment:

1) how were the calls placed? Was the Mitel SIP phone hacked somehow? Asterisk PBX?

2) how does this typically get sorted out with the phone company? they are charging $6.25 per minute for the Texas to Cambodia calls. The phone system owners are at fault, but how have these situations worked out in the past?



I'll be tightening things up, but any feedback is appreciated.



Thanks,

Steve

[terry at brummell.net]

You don't mention if the phone is remote, or local. Although you do mention it had a default user/pass. If the UI of the phone was/is accessible from the I'net, the GUI does have the ability to place a call from it, that is one way the calls could have been placed.


From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Steven McCann
Sent: Wednesday, January 28, 2015 4:03 PM
To: asterisk-users@lists.digium.com
Subject: [asterisk-users] Investigating international calls fraud


Hello,


I'm investigating a situation where there was a hundreds of minutes of calls from an internal SIP extension to an 855 number in Cambodia, resulting in a crazy ($25,000+) bill from the phone company. I'm investigating, but can anyone provide some feedback on what's happened here? I'm investigating how this happened as well as what types of arrangements can be made with the phone company (CenturyLink in Texas).



Some details:

* PBX is located in Texas

* Phone carrier is CenturyLink

* FreePBX distro running asterisk 1.8.14

* source SIP extension is Mitel 5212, firmware 08.00.00.04, default admin password (argh!). Phone is used by many different people.



More PBX setting details:

* inbound SIP traffic is not allowed through the firewall

* internal network is not accessed by many

* FreePBX web interface



Questions I have at this moment:

1) how were the calls placed? Was the Mitel SIP phone hacked somehow? Asterisk PBX?

2) how does this typically get sorted out with the phone company? they are charging $6.25 per minute for the Texas to Cambodia calls. The phone system owners are at fault, but how have these situations worked out in the past?



I'll be tightening things up, but any feedback is appreciated.



Thanks,

Steve

[steven.r.mccann at gma...]

The UI (or anything really) is not open to the internet. The only things open are SSH and RDP (on alternate ports). The freepbx web interface has a strong username/password. The only weakness I see is a weak secret SIP password, and default mitel admin password used. There is no provisioning server for the Mitel phones right now.

The phone system is on the same subnet/VLAN as the internal network. My guess is some internal computer has a trojan which allowed attackers to do some internal configuration changes. I don't yet know how they launched an outbound call from the internal extension.


On Wed, Jan 28, 2015 at 4:38 PM, Terry Brummell <terry@brummell.net (terry@brummell.net)> wrote:

[admin at tootai.net]

Le 28/01/2015 22:03, Steven McCann a écrit :

[mdupuis at ocg.ca]

Do you have DISA setup? We're seeing lots of attackers running scripts that send digits until they strike a DISA, misconfigured mailbox, etc. (Assuming it wasn't a stupid employee forwarding an inbound call to a 9xxxxxxx number etc).

Have a look at SecAst (www.generationd.com) - it detects callers sending too many digits, monitors digit dialing speeds, etc. to help identify and block these types of attacks. The free version is better than nothing (but if you've already suffered one $25k attack then you probably don't mind spending a bit of money). Or have a look at http://www.voip-info.org/wiki/view/Asterisk+security for other ideas.

There were some (at least one) critical FreePBX weaknesses discovered this summer (you'll find them if you google). Even if you don't expose the management interface to the internet, don't trust FreePBX security alone.

-MD-

My opinions expressed are my own and do not necessarily reflect those of my employer. However, as an employee of Generation D Systems my opinions are probably biased.



________________________________________
From: asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of Administrator TOOTAI <admin@tootai.net>
Sent: Wednesday, January 28, 2015 5:07 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] Investigating international calls fraud

Le 28/01/2015 22:03, Steven McCann a écrit :

[steven.r.mccann at gma...]

Hi Michelle,


DISA is not in use. I'll check out the SecAst product you mentioned for rebuilding the server.

I'm digging into the logs to get some more information.


Thanks,
Steve


On Wed, Jan 28, 2015 at 5:30 PM, Michelle Dupuis <mdupuis@ocg.ca (mdupuis@ocg.ca)> wrote:

[duncan at e-simple.co.nz]

On 29 Jan 2015, at 11:07, Administrator TOOTAI wrote:

[steven.r.mccann at gma...]

Hmm the calls are made during the day (and sometimes very early in the morning). Right now it looks like someone actually made these calls. If that is the case it's somewhat comforting to know the system wasn't compromised. However, the $25,000 phone bill still remains. Yikes. $6.25 per minute to Cambodia seems quite steep to me.

On Wed, Jan 28, 2015 at 6:07 PM, Duncan Turnbull <duncan@e-simple.co.nz (duncan@e-simple.co.nz)> wrote:

[dplatt at radagast.org]

[skoroneos at soldecom.com]

The 25000$ @6.25/min means 4000 minutes of calls (or 66H)
Not sure in how many days this has accumulated but i seriously dought this is made from a human accessing the phone.
The fact that you get the calls at certain times might have to do with the timezone the calls are going

If you phone has an API (most have) and allows for calls to be made, or the web interface allows calls to be placed from there, and there is no password or the default credentials then this is how the calls are made.
Check the call velocity (number of calls per minute) from that phone and if you see multiple calls at the same time frame then its probably not a (single) human doing it but some dialler.

We start seen this way more often than before. i.e using the phone as an attack surface instead of breaking into to pbx.
Also there seem to be a lot of javascript "cross-site� scripting attacks on the loose that target voip networks from the inside.
I.e using the browser to execute attacks from inside of a secure/firewalled network.




Stelios Koroneos

Jabber : stelios@soldecom.com

[dk at donkelly.biz]

It's very unlikely that this was an employee calling Mom for 66 hours (I'm
assuming these calls appeared on a single bill). It's also unlikely that
someone "inside" would benefit financially from making these calls. (Follow
the money!) Don't discount the possibility that you've overlooked something
in the firewall.

Meanwhile, does the client need to do international calling? If not, they
may request that international calls be blocked by the carrier; once
blocked, any international calls are the carrier's responsibility, not the
client's.

--Don


-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Dave Platt
Sent: Thursday, January 29, 2015 12:11 AM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] Investigating international calls fraud

[michel at verbraak.org]

Did you have a look at the phone it self already?

Is call forwarding activated or something and can you call the phone/extension from externally?
I have seen this in the past where an employee enabled call forwarding on the phone and once at home he or family called the phone which forwarded the call to abroad.

Good luck. Michel.

Op 29-01-15 om 12:51 schreef dk@donkelly.biz (dk@donkelly.biz):

[BryantZ at zktech.com]

If you have not done so contact the carrier immediately. Report the fraud.
Have them disable international on the account until you have your security issues addressed.
Ask them to pull call logs containing Source and destination IP address. for the fraud calls.
If you are sure they came from your systems IP address then verify the systems does not have any unauthorized registered endpoints.
Verify the source and destination of the calls from any internal logs.

If the calls came from your IP then you are likely on the hook for the calls. If they came from another IP that you don't own then if you can prove you had no access to that IP than there is some hope the carrier may work with you.


Thanks Bryant