Thursday, October 13, 2011

11 Million Euro Loss - 1 Million in Profits - VoIP Fraud

Recent Voice over IP fraud attackers made over 1 million Euro in profits. 
It seems that they simply were scanning for PBX servers with phone extensions that have weak passwords. Then they abused these accounts to make phone calls for "free", except that free has the price of 11 million EUR for the service provider victims!

Apparently, originally they used these accounts for their own personal phone calls. However they got greedy and between October 2009 to February 2010, they made 23500 calls / 315000 minutes to premium numbers. Then (from what I understood), they got even more greedy and used a Shadow Communication Company and prices for premium numbers that then linked to another site further obfuscating their "business." Using this scheme they recruited other people to make  1,541,187 fraudulent calls or 11,094,167 minutes of talk time.

They used other premium numbers affiliate networks at first and then, when they realized the potential, they set up a company in the UK - Shadow Communications Inc. - through which they were able to sign a  contract on their own with a premium rate number provider and offer their own affiliates service, basically taking their "business" to a whole new level.

One of the original articles on this can be found here.

Sunday, October 9, 2011

Storming SIP - VoIP Systems Are The New Target

You Will Be Attacked - Reduce Exposure

When implementing a VoIP infrastructure or any kind of net­work technology, it is best to reduce the exposure to attack. The fact that the VoIP infrastructure is typically sitting next to other network entities makes the SIP network elements reachable and possibly vulnerable to an attack coming from the other network serv­ers. The number of VoIP phones and PBXs on the Internet is constantly growing, and if the infrastructure does not require exposure to the Internet, then avoid it. To help you separate the VoIP network from the rest, various network switch vendors allow you to set up a VLAN specifically for VoIP. However, be aware that VLANs are not a panacea, and tools like VoIPhop­per make it easy to demonstrate the fact that VLAN is not enough. Cisco published a white paper called VLAN Security, where they describe how to protect against a number of attacks aimed at VLAN technology. Segregat­ing the VoIP network can also be done through the use of firewalls or physical separation. VPN tunneling has also been previously suggested because it provides both encryption and can also be used to separate the VoIP traffic from the normal traffic.

However, these solutions might not always be feasible – especially since one major advantage of VoIP is that it integrates with other network elements on the Internet. In fact, various VoIP vendors market the fact that you can use your existing network infrastruc­ture without having to lay new cables. Whether or not this is a good idea depends on a large number of factors. When designing a VoIP infrastructure, it is therefore important to understand the requirements and mitigate depending on the case. For example, a hotel VoIP network will have different require­ments than a corporate IP phone net­work, and therefore a systems designer can apply different security precautions during the planning stage. Some other suggestions and observations:
• It is of course good to make use of encryption mechanisms such as TLS and SRTP. Unfortunately, the encryption for SIP and RTP is not yet widely supported. Zfone by the creator of PGP is particularly interesting. We shall not be going through this subject in depth since it is not within the scope of the attacks described within this article, but it definitely deserves a mention.
• The importance of good pass­words for IP Phones should not be underestimated. If the system does not require that end users set their own pass­word, then do not allow this functionality. Instead, make use of some kind of password man­agement and set their password to one that is unique and hard to guess. Applications such as KeePass, which is open-source and free, allow you to generate strong random passwords for you, as well as manage such passwords in a relatively secure manner.
• OpenSER, which is an open-source SIP server, has a module named pike. This module is able to block requests that exceed a given limit. This can allow for blocking of both extension guessing and password cracking. However one has to be cautious with such solutions. Attackers can make use of IP spoofing to intentionally block legitimate traf­fic. It might also unintentionally block legitimate traffic if its not properly conFigured.
• SIP allows extension lines which do not require authentica­tion. If there is no justification for unauthenticated extensions, then make sure NOT to use this feature.
• Hardphones will get security fixes in the form of a firmware update, while softphones will get a new software release. Keeping up to date with the latest versions can be a pain, but it is certainly one way of making sure your system does not fall victim to attackers exploiting a security vulnerability in your SIP phone.

You Are Under Attack
Detection is a very important step in a security solution. A network IDS such as Snort, when placed at the right location, can be of great help when trying to detect that an attack is underway. Snocer, which describes themselves as providing Low Cost Tools for Secure and Highly Available VoIP Communication Services, has previously published some Snort rules for public consumption. These rules are also available in the latest Snort community rules. In this section we will describe some of them and explain how they can be effective in catching the attacks mentioned previously. We will also provide some new Snort rules which can also detect activity de­scribed in this article and not caught by the current Snort community rules.
The Snort rules by Snocer are quite easy to understand, and are able to provide generic detection. Each of the rules looks out for an excessive number of SIP messages coming from a single IP address over a short period of time. The different SIP messages are INVITE and REGISTER requests, and 401 Unauthorized mes­sages.

The INVITE and REGISTER flood attacks catch svwar and svcrack be­ing run with default options against a SIP proxy. To be able to catch a default svmap scan, we need to be looking out for SIP messages with an OPTIONS request, spanned over different hosts in a short time. Listing 20 shows one such rule that triggers an alert if the rule is infringed 30 times in 3 seconds. One should probably adjust this rule depending on the ad­dress space being watched by Snort. If Snort is watching a /29 mask, i.e. only 6 hosts, then one should change the count to 6 and number of seconds to 1 or less. On larger networks, in­crease the count number to decrease the chance of a false positive.
The rule on excessive number of SIP 4xx Responses attempts to catch the majority of attacks outlined in this article. What it effectively does is match responses which contain a client error. This may be a 404 not found response like the one given by an Asterisk box when running svwar to identify SIP extensions or users. It will also match a password crack­ing attempt on an Axon PBX, or an extension enumerating attack on a Brekeke PBX when using svwar with the OPTIONS method. Of course, it will not catch a network scan for SIP devices on one which does not have a lot of devices, simply because the number of responses would be low.
The ghost phone call can also be easily detected since it generates a large number of ringing messages. Of course a payload of this attack is audible, and therefore the benefits of adding this rule might not be immedi­ately apparent since it makes itself so obvious. However, a Snort rule at this stage might be very useful during in­cident response, when trying to deter­mine things such as the source of the attack. The rule should be modified depending on the network. For exam­ple, it does not make sense to deploy this Snort rule on a calling center that takes 50 calls every minute.
Snort is not the only tool to monitor your VoIP infrastructure for attacks. In fact, Snort would very likely NOT detect any attacks passing through encrypted traffic. On the other hand, monitoring the logs on your IP PBX might be a good way of detecting some attacks destined to the SIP gateway. J. Oquendo posted a BASH script called astrap which monitors the Asterisk log entries for exces­sive number of failed authentication attempts. This small tool will list the offender's IP address, the number of password failures, and the extensions that were targeted on the Asterisk.
A host intrusion detection system such as OSSEC can be equally useful in detecting and automatically mitigat­ing attacks. At the time of writing, OS­SEC does not come preconFigured to support Asterisk log files, but this functionality can be easily added. Listing 21 includes a sample rule file for OSSEC to show how it can be conFigured to detect username enu­meration and password attacks on an Asterisk system such as Trixbox. List­ing 22 shows the changes required to enable this new Asterisk rule. We in­clude a decoder entry so that OSSEC will be able to extract the attacker's IP address and then use that to au­tomatically block the attack by adding the appropriate firewall rule.

References – RFC 3261 – Purpose of SIP – smap – SIPVicious tool suite – SIP peers external authentication in Asterisk/OpenPBX – SIPSCAN – Cain and Abel – Interview with Robert Moore – VLAN Security White Paper – Snocer, snort rules – astrap – OSSEC – Trixbox

Hat Tip - Sandro Gauci