asterisk users - Jan 2013 - Malicious traffic comming from 37.75.210.90

Hello Osama, and Hisham,

At 1330GMT there was some malicious activity coming from your network
IP 37.75.210.90. Please act accordingly. Things that may be of use
"972599779558"

N.

For what it's worth, I see similar traffic regularly from:

orange.ps
hadara.ps
ovh.net
iweb.ca
scalabledns.com
securedservers.com
wholesaleinternet.com
hostnoc.net
rackspace.com
hetzner.de

all going to 972-59-* numbers (i.e. Paltel/Jawal mobile customers).

Common numbers are:

972592871970
972597562803
972592170729
972595936848
972599532957
972592170729
972592539831
972592910519
972592577022
972592648299
972599146173
972592264761
972592600109
972598285108
972592910519
972599463826
972597072204
972599327923
972595813485
972598642462
972598431470
972598372537
972597248231
972598431470
?


Now some of these numbers have been short-lived, others have been in use more
than 2 years, like 972597562803 which seems to be sloppy tradecraft.

Why would an internet subscriber from hadara.ps, for instance, want to call a
Paltel mobile user via some remotely hacked SIP PBX thousands of miles away
given than Paltel is partially owned by Hadara Technology Investment Co. (and
Paltel leases long-haul infrastructure from Hadara anyway)?

http://en.wikipedia.org/wiki/Paltel

Well, if the Paltel subscriber were actually abroad? say in the US or Algeria or
the Philippines, but he didn't want to risk the longest arm of the call
being intercepted by Echelon or similar means, then he'd find an ISP in the
country which he knew that subscriber to currently be in, and scan its CIDR
blocks for insecure SIP PBX's to use to contact the mobile user? relying on
domestic privacy protections to inhibit spying on internal traffic to that
country.

Perhaps Hadara (or a Hamas cell operating within Hadara) has moved from psyops
to more overt means:

http://blogs.norman.com/2012/security-research/cyberattack-against-israeli-and-palestinian-targets-for-a-year

I'm surprised that DHS hasn't taken more interest in this.

Or perhaps they already have, and are operating deliberately insecure PBX's
as honeypots.

Coming soon to your AGPS+ coordinates: a Predator drone?

In any case, with all the SIP (and other) abuse I've received from
Hadara.ps, they've never once acknowledged a complaint I've sent in?
which seems to be tacit approval of the practice.

I'd be curious to know what everyone else's experiences have been like,
and why 95% or better of the SIP attacks on my PBX are destined for Paltel
mobile subscribers.

Given the number of inhabitants in Gaza, it seems like a statistical
improbability.

Certainly not random distribution.


On Jan 6, 2013, at 4:36 PM, Nick Khamis <symack at gmail.com> wrote:
> Hello Osama, and Hisham,
> 
> At 1330GMT there was some malicious activity coming from your network
> IP 37.75.210.90. Please act accordingly. Things that may be of use
> "972599779558"
> 
> N.
>