Phone system compromised via admin mailbox

[evan631]

Due to Mitel's inability to do anything right our phone system was compromised last week.

Turns out when Mitel setup our system in one of our offices, they left the administrator mailbox password as default.  So over one night hundreds of calls were made through our system to all sorts of countries.

Apparently by dialing into our system, after hours you get the auto attendant.  Press * to enter your  mailbox.  By going into the administrator mailbox they were able to change it's extension, to redirect to some system to make calls through. 

Not only did they make calls but they deleted all mailboxes.  I guess they created a fresh/new install of the voicemail system.

Very irritating.

So...make sure you all change your administrator mailbox passwords!

Any other suggestions to lock down the system?

Thanks

-Evan

[v2win]

If the voicemail doesn't need to do any type of outcalling you could lock the ports down with a COR that wont allow outbound calls or at least international calls.

[evan631]

i believe the tech did that...at least for international calls.

[io]

So is the admin mailbox used to control the entire Call Director structure? Like when users hit our main line, they're actually interacting with the "admin mailbox"?

[v2win]

I believe he is talking about the embedded 3300 vm since they were able to initialize the system and delete all the mailboxes.

I assumed they were able to dial international calls since he said "calls to all sorts of countries".

[evan631]

I believe he is talking about the embedded 3300 vm since they were able to initialize the system and delete all the mailboxes.

I assumed they were able to dial international calls since he said "calls to all sorts of countries".

Yes...Embedded VM on 3300.  They were able to make many calls.

So is the admin mailbox used to control the entire Call Director structure? Like when users hit our main line, they're actually interacting with the "admin mailbox"?

The administrator mailbox lets you manage the voicemail system.  Everything from adding, deleting, modifying mailboxes, to wiping out the entire system and making a new install.

[acejavelin]

In recent software releases, this access is disabled by default, and TUI access to the administrator mailbox can be disabled via the Voicemail Option forms as well.

The most common way of this occurring is by an unauthorized user accessing mailbox 0 and changing it's extension to an outcalling number, or changing a specific mailbox's dial 0 location. Access to the Administrator Mailbox is not required or often used by hackers who find it easier to access a user's mailbox directly because so many use common passcodes.

Best bet is to require 5+ digit passcodes (we typically recommend 6) and require users to use uncommon passcodes that do not relate to the extension/mailbox number.

[io]

In recent software releases, this access is disabled by default, and TUI access to the administrator mailbox can be disabled via the Voicemail Option forms as well.

How recently has this been accounted for?

[acejavelin]

In recent software releases, this access is disabled by default, and TUI access to the administrator mailbox can be disabled via the Voicemail Option forms as well.

How recently has this been accounted for?

MCD 5.0 I believe... Unless it was an upgrade, all upgraded systems have it enabled by default since that was the previous behavior.

Sent from my MotoG3 using Tapatalk

[martyn]

If CoR was configured on the VM ports then they could have compromised the embedded VM as much as they wanted, but it wouldn't have allowed for the calls to go back out again.

As others have mentioned, there are plenty of toll fraud prevention measures, but they actually have to be done. You dealer (as opposed to Mitel as you make mention) should be implementing these using the above methods mentioned.