Toll Fraud Hack (Mitel 3300)

[ralph]

Here's a new hack I hadn't seen happen before.

Customer at one point had an AWC.  It has been turned off for months as the customer started using another service.
We suddenly saw international calls originating from these ports.
I was able to trace it back to some IP's in Israel and the Netherlands registering the SIP devices through the Teleworker server.

Since these were AWC ports (confusion here since the ports were labeled as AWC but they might of actually had a Quick Conf Server) there were no passwords on the SIP ports.
There was no restrictions on SIP devices through the TW server.   It appears that the TW server was scanned and then the device extension figured out. 

So the Take-A-Way here is this:
1) If you're not using SIP devices via TW server - disable the service in TW (MBG).
2) If you are using SIP devices via TW server be sure you upgrade to the latest version.  (more security)
3) Add complex passwords to all SIP devices.  An extension of 1234 should never have a password of 1234.
4) If you turn off a SIP based server - delete the associated SIP device programming in the 3300.
5) Be sure you have a good COR set up in your system and put proper limits in place.

In case you're interested, here is my Mitel 3300 ARS programming guide that would have helped in this situation.


While researching the above, I found this same system had their VM compromised.
The hacker logged into the admin mbox and changed the extension number of the 0 mbox and another one to 9+011++++. 
The hacker would then call any DID number and when he hit the VM box all he did was press '0' and he was transferred out.

Here's the take away from that:
1) Setup proper COR and ARS to block unauthorized calls.
2) Change all 3 admin passwords for the admin mbox.
3) Occasionally export all the mail boxes and review in a spreadsheet.  This makes it easy to see if an extension has been changed to something unusual.
4) Occasionally check your SMDR logs to be sure that there are no unusual calls after hours.

There are some other steps that can be done to block unauthorized use even further but those are the main points.
The VM hack is pretty old school so these steps shouldn't be a surprise to anyone.
The SIP attack was new to me.  I hadn't considered this type of ingress into the system before.
I'll have to update my security checklist for this type of thing.

Ralph

[x-man]

Ralph, in later software would restricting mailbox form dialling 9 have the effect of blocking the VM hack?

[ralph]

I don't know the answer to that.  I'd have to try it when I get a change.
I'm not sure it would because it used the extension number and not the transfer to cell feature.

Ralph

[Mattmayn]

Ralph, in later software would restricting mailbox form dialling 9 have the effect of blocking the VM hack?

I would assume not, since most of the time they would change the operator extension to the number to dial. I would assume the VM would treat this as pressing 0 instead or 9.

[ralph]

The voice mail hack is old school.  That exploit has been known since before I was born I think.
For the VM, I'm recommending that the password length be extended to at least 5 digits and change all the admin mail box password from their default.   

And of course lock down the COR of the ports in the 3300.

I'm still reeling a bit from the SIP exploit though.  I'm not surprised that often.  I'm still processing how to deal with it.
One of the things I noticed is that for the SIP device passwords it requires only digits.  It won't accept alpha characters. 
I can't think of a reason for this.  It would be much more secure if you could mix digits with alpha text.
That may need to be a DCR to Mitel.

Any thoughts?

Ralph

[LoopyLou]

Knowledge base Article 13-1263-00095

[ralph]

Thanks LoopyLou.

The take away from the knowledge base is this:

Initial investigations are showing that in the majority of cases that the access has been through the use of SIP and that the major contributing factor has been the use of simple user names and passwords. That is, in these cases the username and password have both been the directory number of the device in question or an extremely simple password such as “1111”, “2222”, etc..the same attention should be made to passwords across on products and applications.

Mitel requests that all of our partners revisit their installations with SIP end points and ensure that the installed SIP devices (hardware or software based) are not installed in this manner. In particular when connecting through a Mitel Border Gateway alphanumeric passwords are supported and should be used wherever possible.

Start paying attention to your SIP devices. 
Ralph