Messages

1

Mitel MiVoice Business/MCD/3300 / Re: Fraudulent calls on 3300 with NuPoint, using SMDR logs

« on: March 23, 2021, 12:27:50 PM »

Ok I found the exploit...

Call the main number, NuPoint call flow picks up (attendant), it waits for user to dial an extension, but dial 90 and it'll hit the corresponding route on the Mitel 3300.
Solution is to configure COR properly for VM ports and to that I can add limitation to NuPoint Menu Dial Plan foir the call director (from vvvvvvvvv to vvvvvvvv1) so that 9 in the menu just returns invalid.

2

Mitel MiVoice Business/MCD/3300 / Re: Fraudulent calls on 3300 with NuPoint, using SMDR logs

« on: March 17, 2021, 08:51:00 AM »

Ya that's what I've read to be able to provide the earlier reply. I understand how they organize the rules but I'm not going to start redoing everything now, especially not until I know what the flaw is exactly.

Anyhow, the fraudulent calls stopped once I reset the password to the VM of the 8080 VM, basically the ext assigned the overnight attendant.

3

Mitel MiVoice Business/MCD/3300 / Re: Fraudulent calls on 3300 with NuPoint, using SMDR logs

« on: March 16, 2021, 10:16:52 AM »

Ok so I checked and our NuPoint has a 999 mailbox but our dialout plan is 4 digit so asking for it returns "This is not a valid mailbox" error. Our integrated VM has a 9999 extension but that doesn't seem reachable due to the NuPoint redirection. Unless I'm missing something, I think we can rule that out.

As for COR on those ports, I'm still trying to make sense of how this works (im a sys/net admin so this is somewhat all new to me) but I think it's restricted. Let me describe the setup:

All our VM ports are assigned COR 2.
COR Group 1 is assigned COR 1.
COR Group 2 is assigned COR 1,2.
COR Group 3 is assigned COR 1-3.
The fraudulent calls are made on our trunk group 1.

Now where I get lost a little:

ASR routes 1,3,5,7,9 and 99 are assigned to trunk group 1.
ASR routes are assigned respectively to COR Groups 1,2,3,60,60 and 64. (last 3 are for emergency dialing)
ASR Digit Dialed for 90 (operator), 901 (operator assisted long distance) and 9011 (international) goes respectively to routes 1, 3 and 5.

So I'm deducting it's possible to dial out to operator (90) due to missing COR 2 in COR Group 1, correct?

4

Mitel MiVoice Business/MCD/3300 / Re: Call statistics (How to understand the information) / Estadisticas de llamadas

« on: March 15, 2021, 11:11:54 AM »

Search for "SMDR - Recorded Information" or "SMDR - Summary of Fields Tables" in the help for the details on each columns.
When logged into the 3300, look for the ? on the top right and choose help from there. Use the magnifying glass in the help to search or go to System Applications > General Business Solutions > SMDR (Station Message Detail Recording) > Description

5

Mitel MiVoice Business/MCD/3300 / Fraudulent calls on 3300 with NuPoint, using SMDR logs

« on: March 15, 2021, 10:35:52 AM »

Hello all!

I've been looking on this forum to find ressources on SMDR logs to track fraudulent international calls but I could not make sense of it for my context so maybe one of you expert could help me?

Here is an example of our SMDR logs for a fraudulent call:

Code: [Select]

03/13 02:27  00:00:33 7783      7783 0                    A T323T T302         
     001   17783                 A0010223A A0010211                             
 03/13 02:27  00:00:52 T302 0000 T51940223770 8080 7000      7783T T323         
     001   1940223770 8080       A0010211A A0010223 
From my understanding, from the 3 line, an inbound call overnight from T51940223770 on our main trunk (T3xx) is answered by messaging (7000) NuPoint and redirected to our main menu (8080).
From there the call seem to go to a VM via one of the NuPoint VM port (778x numbers).
After I get lost how they do it but from the log I understand a supervised transfer (T) is made from that 7783 port to an external number over our main trunk.
I think the first little is that external outbound call being made to the operator and then transferred to whatever international number that was requested from the operator.
After I dont have any traces of said call.

Now, did I understand those logs correctly? And since the NuPoint seems to be involved, any way I could trace it to a specific ext/VM that's obfuscated behind that NuPoint port?

We checked and VMs are not allowed to dial out as per policy, nor do we have any DISA in place. I would really help me close the gap if I new what the exploit was exactly!

We have a Mitel 3300 with NuPoint for VM (and some other features I believe).

Thank you!