Here's a new hack I hadn't seen happen before.
Customer at one point had an AWC. It has been turned off for months as the customer started using another service.
We suddenly saw international calls originating from these ports.
I was able to trace it back to some IP's in Israel and the Netherlands registering the SIP devices through the Teleworker server.
Since these were AWC ports (confusion here since the ports were labeled as AWC but they might of actually had a Quick Conf Server) there were no passwords on the SIP ports.
There was no restrictions on SIP devices through the TW server. It appears that the TW server was scanned and then the device extension figured out.
So the Take-A-Way here is this:
1) If you're not using SIP devices via TW server - disable the service in TW (MBG).
2) If you are using SIP devices via TW server be sure you upgrade to the latest version. (more security)
3) Add complex passwords to all SIP devices. An extension of 1234 should never have a password of 1234.
4) If you turn off a SIP based server - delete the associated SIP device programming in the 3300.
5) Be sure you have a good COR set up in your system and put proper limits in place.
In case you're interested, here is my
Mitel 3300 ARS programming guide that would have helped in this situation.
While researching the above, I found this same system had their VM compromised.
The hacker logged into the admin mbox and changed the extension number of the 0 mbox and another one to 9+011++++.
The hacker would then call any DID number and when he hit the VM box all he did was press '0' and he was transferred out.
Here's the take away from that:
1) Setup proper COR and ARS to block unauthorized calls.
2) Change all 3 admin passwords for the admin mbox.
3) Occasionally export all the mail boxes and review in a spreadsheet. This makes it easy to see if an extension has been changed to something unusual.
4) Occasionally check your SMDR logs to be sure that there are no unusual calls after hours.
There are some other steps that can be done to block unauthorized use even further but those are the main points.
The VM hack is pretty old school so these steps shouldn't be a surprise to anyone.
The SIP attack was new to me. I hadn't considered this type of ingress into the system before.
I'll have to update my security checklist for this type of thing.
Ralph