Messages

1

Mitel MiVoice Business/MCD/3300 / Re: Toll Fraud: Voicemail Operator Extension

« on: September 30, 2014, 01:36:36 PM »

After some further digging, I have discovered that once the VM passcode had been guessed, the attacker changed the User Option for "Personal Contacts" (e.g. allow a caller to hit 2 to have the call forwarded to their cell phone).

I had to look inside a backup file in order to get a listing for each mailbox to see if they had any Personal Contacts configured. Is there an easier way to get this info? Is there an easy way to clear these or can it only be done via the TUI for each mailbox?

So, to answer my original question, changing the Voicemail User Option -- Personal Contact for '0' will show up in the "Operator Extension (0)" Field of the Web Interface for VM Mailboxes.

To prevent abuse with Personal Contacts, I set "Public Network to Public Network Connection Allowed" to No for the COS for Voicemail. Now, if a mailbox is compromised and the "Operator Extension (0)" is set to a TF Number, the caller will not be connected to their number and simply punted back to the Operator Greeting for our system.

Maybe there is a better way to do this such that we allow a caller to be forwarded to the recipient's cell using a configured Personal Contact, but restrict TF abuse?

2

Mitel MiVoice Business/MCD/3300 / Re: Toll Fraud: Voicemail Operator Extension

« on: September 26, 2014, 05:10:39 PM »

Thanks for the reply.

I'm not certain that is the case for the following reasons:

1) The 3 accounts (admin, manager, technician) all have non-default passcodes
2) The mailboxes (i.e. more than one) with the Operator Extension (0) that were modified had weak passcodes which would have been relatively easy to guess. Additionally, each compromised mailbox had their own overseas number.
3) After changing the passcodes of the affected mailboxes to something more challenging, the toll fraud stopped (at least for now, as I am seeing what appears to be further attempts to "guess" passcodes)

I will concede that #1 is entirely possible. However, if they had that level of access, why go modify the mailboxes that had weak passcodes?

Also, is it not possible to do what they have done only using the TUI for the individual user's voicemail?

Thanks!

3

Mitel MiVoice Business/MCD/3300 / Toll Fraud: Voicemail Operator Extension

« on: September 26, 2014, 02:52:00 PM »

Hello,

We have a Mitel 3300 MXe-III, release 6.0 SP3. We have noticed some Toll Fraud and have traced it back to voicemail reconfiguration of the Operator Extension (0) Value.

The passcode of a voicemail box for a normal user (i.e. not admin, manager, technician) is guessed and it seems the attacker is able to change the Operator Extension (0) field from blank or 0 to an overseas number. This is shown when we go to Voice Mail -- VM Mailboxes -- open the form for a particular Mailbox Number -- scroll down to Operator Extension (0), there is a value corresponding to an overseas number.

We've looked at a variety of options to change in order to better secure our system, however I would really like to understand how they can change the value in this field via the TUI. I have gone through the entire voicemail options tree and cannot determine how this is done.

Being able to reproduce what the attacker is doing will help us feel confident the changes we make to better secure our system address this problem and prevent future attacks.

Any guidance would be greatly appreciated!