asterisk users - Jan 2015 - Investigating international calls fraud

Hello,

I'm investigating a situation where there was a hundreds of minutes of
calls from an internal SIP extension to an 855 number in Cambodia,
resulting in a crazy ($25,000+) bill from the phone company. I'm
investigating, but can anyone provide some feedback on what's happened
here? I'm investigating how this happened as well as what types of
arrangements can be made with the phone company (CenturyLink in Texas).

Some details:
* PBX is located in Texas
* Phone carrier is CenturyLink
* FreePBX distro running asterisk 1.8.14
* source SIP extension is Mitel 5212, firmware 08.00.00.04, default admin
password (argh!). Phone is used by many different people.

More PBX setting details:
* inbound SIP traffic is not allowed through the firewall
* internal network is not accessed by many
* FreePBX web interface

*Questions I have at this moment:*
1) how were the calls placed? Was the Mitel SIP phone hacked somehow?
Asterisk PBX?
2) how does this typically get sorted out with the phone company? they are
charging $6.25 per minute for the Texas to Cambodia calls. The phone system
owners are at fault, but how have these situations worked out in the past?

I'll be tightening things up, but any feedback is appreciated.

Thanks,
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20150128/9d2d923a/attachment.html>

I?ve seen the following exploits of Asterisk / FreePBX boxes:


1)  Default PlcmSpIp username and password for Polycom provisioning

2)  Insecure SIP usernames and secrets

3)  FreePBX GUI accessable from the internet

4)  OS remote exploit (maybe ssh/ssl exploit)

Mitigation options:

1)  Don?t use an easy to guess or default password on provisioning servers.

2)  Use secure secrets.  Users never enter the secret so we use a 32 char random
string of characters for the password

3)  Don?t allow connections to port 80 from off-site.

4)  Make sure your OS and SSH/SSL is updated packages are updated.

Contact your carrier and ask about any possible fraud detection.    Verizon SIP
service has that feature.   I don?t think Level 3 has.   Don?t know about
CenturyLink.   I also recommend locking down the system very tight with IP
tables ? only allow whitelisted traffic rather than only blocking blacklisted
traffic.

Fraud is a constant issue for everyone.


From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces
at lists.digium.com] On Behalf Of Steven McCann
Sent: Wednesday, January 28, 2015 4:03 PM
To: asterisk-users at lists.digium.com
Subject: [asterisk-users] Investigating international calls fraud

Hello,

I'm investigating a situation where there was a hundreds of minutes of calls
from an internal SIP extension to an 855 number in Cambodia, resulting in a
crazy ($25,000+) bill from the phone company. I'm investigating, but can
anyone provide some feedback on what's happened here? I'm investigating
how this happened as well as what types of arrangements can be made with the
phone company (CenturyLink in Texas).

Some details:
* PBX is located in Texas
* Phone carrier is CenturyLink
* FreePBX distro running asterisk 1.8.14
* source SIP extension is Mitel 5212, firmware 08.00.00.04, default admin
password (argh!). Phone is used by many different people.

More PBX setting details:
* inbound SIP traffic is not allowed through the firewall
* internal network is not accessed by many
* FreePBX web interface

Questions I have at this moment:
1) how were the calls placed? Was the Mitel SIP phone hacked somehow? Asterisk
PBX?
2) how does this typically get sorted out with the phone company? they are
charging $6.25 per minute for the Texas to Cambodia calls. The phone system
owners are at fault, but how have these situations worked out in the past?

I'll be tightening things up, but any feedback is appreciated.

Thanks,
Steve

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20150128/abe777c7/attachment.html>

You don't mention if the phone is remote, or local.  Although you do mention
it had a default user/pass.  If the UI of the phone was/is accessible from the
I'net, the GUI does have the ability to place a call from it, that is one
way the calls could have been placed.




From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces
at lists.digium.com] On Behalf Of Steven McCann
Sent: Wednesday, January 28, 2015 4:03 PM
To: asterisk-users at lists.digium.com
Subject: [asterisk-users] Investigating international calls fraud

Hello,

I'm investigating a situation where there was a hundreds of minutes of calls
from an internal SIP extension to an 855 number in Cambodia, resulting in a
crazy ($25,000+) bill from the phone company. I'm investigating, but can
anyone provide some feedback on what's happened here? I'm investigating
how this happened as well as what types of arrangements can be made with the
phone company (CenturyLink in Texas).

Some details:
* PBX is located in Texas
* Phone carrier is CenturyLink
* FreePBX distro running asterisk 1.8.14
* source SIP extension is Mitel 5212, firmware 08.00.00.04, default admin
password (argh!). Phone is used by many different people.

More PBX setting details:
* inbound SIP traffic is not allowed through the firewall
* internal network is not accessed by many
* FreePBX web interface

Questions I have at this moment:
1) how were the calls placed? Was the Mitel SIP phone hacked somehow? Asterisk
PBX?
2) how does this typically get sorted out with the phone company? they are
charging $6.25 per minute for the Texas to Cambodia calls. The phone system
owners are at fault, but how have these situations worked out in the past?

I'll be tightening things up, but any feedback is appreciated.

Thanks,
Steve


-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20150128/e27e9468/attachment.html>

Le 28/01/2015 22:03, Steven McCann a ?crit :
> Hello,
Hi
>
> I'm investigating a situation where there was a hundreds of minutes of
> calls from an internal SIP extension to an 855 number in Cambodia,
> resulting in a crazy ($25,000+) bill from the phone company. I'm
> investigating, but can anyone provide some feedback on what's happened
> here? I'm investigating how this happened as well as what types of
> arrangements can be made with the phone company (CenturyLink in Texas).
>
> Some details:
> * PBX is located in Texas
> * Phone carrier is CenturyLink
> * FreePBX distro running asterisk 1.8.14
> * source SIP extension is Mitel 5212, firmware 08.00.00.04, default
> admin password (argh!). Phone is used by many different people.
>
> More PBX setting details:
> * inbound SIP traffic is not allowed through the firewall
> * internal network is not accessed by many
> * FreePBX web interface
>
> *Questions I have at this moment:*
> 1) how were the calls placed? Was the Mitel SIP phone hacked somehow?
> Asterisk PBX?
Check your logs. In the full log with verbosity 3 you can follow how 
calls were treated. Also the CDR should give you informations like the 
extension(s) who placed those calls

[...]

-- 
Daniel

Do you have DISA setup?  We're seeing lots of attackers running scripts that
send digits until they strike a DISA, misconfigured mailbox, etc.  (Assuming it
wasn't a stupid employee forwarding an inbound call to a 9xxxxxxx number
etc).

Have a look at SecAst (www.generationd.com) - it detects callers sending too
many digits, monitors digit dialing speeds, etc. to help identify and block
these types of attacks.  The free version is better than nothing (but if
you've already suffered one $25k attack then you probably don't mind
spending a bit of money).  Or have a look at
http://www.voip-info.org/wiki/view/Asterisk+security for other ideas.

There were some (at least one) critical FreePBX weaknesses discovered this
summer (you'll find them if you google).  Even if you don't expose the
management interface to the internet, don't trust FreePBX security alone.

-MD-

My opinions expressed are my own and do not necessarily reflect those of my
employer.  However, as an employee of Generation D Systems my opinions are
probably biased.



________________________________________
From: asterisk-users-bounces at lists.digium.com <asterisk-users-bounces at
lists.digium.com> on behalf of Administrator TOOTAI <admin at
tootai.net>
Sent: Wednesday, January 28, 2015 5:07 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] Investigating international calls fraud

Le 28/01/2015 22:03, Steven McCann a ?crit :
> Hello,
Hi
>
> I'm investigating a situation where there was a hundreds of minutes of
> calls from an internal SIP extension to an 855 number in Cambodia,
> resulting in a crazy ($25,000+) bill from the phone company. I'm
> investigating, but can anyone provide some feedback on what's happened
> here? I'm investigating how this happened as well as what types of
> arrangements can be made with the phone company (CenturyLink in Texas).
>
> Some details:
> * PBX is located in Texas
> * Phone carrier is CenturyLink
> * FreePBX distro running asterisk 1.8.14
> * source SIP extension is Mitel 5212, firmware 08.00.00.04, default
> admin password (argh!). Phone is used by many different people.
>
> More PBX setting details:
> * inbound SIP traffic is not allowed through the firewall
> * internal network is not accessed by many
> * FreePBX web interface
>
> *Questions I have at this moment:*
> 1) how were the calls placed? Was the Mitel SIP phone hacked somehow?
> Asterisk PBX?
Check your logs. In the full log with verbosity 3 you can follow how
calls were treated. Also the CDR should give you informations like the
extension(s) who placed those calls

[...]

--
Daniel

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

On 29 Jan 2015, at 11:07, Administrator TOOTAI wrote:
> Le 28/01/2015 22:03, Steven McCann a ?crit :
>> Hello,
>
> Hi
>
>>
>> I'm investigating a situation where there was a hundreds of minutes
>> of
>> calls from an internal SIP extension to an 855 number in Cambodia,
>> resulting in a crazy ($25,000+) bill from the phone company. I'm
>> investigating, but can anyone provide some feedback on what's 
>> happened
>> here? I'm investigating how this happened as well as what types of
>> arrangements can be made with the phone company (CenturyLink in 
>> Texas).
Are you sure the calls weren't actually made internally? Can you see 
anything to suggest the ip or mac address of the phone changed? Because 
for someone to take advantage of the calls (assuming they don't get cash 
out of ringing Cambodia) they needed to proxy through to that phone 
line, which maybe required them leaving some sort of device on the 
network. Otherwise I am guessing they got onto your PBX somehow.

As suggested logs are important, including DHCP, syslog to see if 
anything unusual happened.

Did the calls run all day or just at night when no one was around?
Was there more than one call up at a time? (how many calls does the 
Mitel phone support?)
How long were the calls? Were they varying lengths (more human like) and 
did they just redial as soon as they were dropped? Or were they 
automated to trigger as much cost as possible e.g. if the 1st minute is 
the most expensive then you get a lot of short calls.

Good luck

>>
>> Some details:
>> * PBX is located in Texas
>> * Phone carrier is CenturyLink
>> * FreePBX distro running asterisk 1.8.14
>> * source SIP extension is Mitel 5212, firmware 08.00.00.04, default
>> admin password (argh!). Phone is used by many different people.
>>
>> More PBX setting details:
>> * inbound SIP traffic is not allowed through the firewall
>> * internal network is not accessed by many
>> * FreePBX web interface
>>
>> *Questions I have at this moment:*
>> 1) how were the calls placed? Was the Mitel SIP phone hacked somehow?
>> Asterisk PBX?
>
> Check your logs. In the full log with verbosity 3 you can follow how 
> calls were treated. Also the CDR should give you informations like the 
> extension(s) who placed those calls
>
> [...]
>
> -- 
> Daniel
>
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>            http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users