June 2018 – SHOUT OUT Monthly Newsletter
Top Vulnerability, BotNet, Attack, VoIP Cost and Fraud News
Attack Type: VoIP & UC Protocols Implementation Vulnerabilities
Last Updated: 2018 April 20
US CERT Alert: TA18-106A
VoIP Attack Classification:
VoIP Attack Impact:
Early 2018 US-CERT advisory on Russian government-sponsored attacks on network infrastructure devices resurface in recent attacks in Singapore generally targeted voice-over-IP (VoIP) phones and Internet of things (IoT devices). Malicious activity began June 11 in Brazil and targeted port SIP 506 for fraud and theft of service. Given the extensive global interest in US President Trump’s meeting with Kim Jong Un, it’s not surprising that attackers would try and attack SIP-aware devices such as IoT devices inside hotels and IP cameras outside to try and get close to targets of interest.
Cyber actors use these UDP and SIP-based weaknesses to:
- identify vulnerable devices;
- extract device configurations;
- map internal network architectures;
- harvest login credentials;
- masquerade as privileged users;
- device firmware;
- operating systems;
- configurations; and copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.
Mitigation Strategies based on specific implementations and vendors are detailed in the US Cert Bulletin.
There is a significant amount of publicly-available cybersecurity guidance and best practices from DHS, allied government, vendors, and the private-sector cybersecurity community on mitigation strategies for the exploitation vectors described above. Here are additional mitigations for network device manufacturers, ISPs, and owners or operators..
Common VoIP Attack Classification:
- Abuse (e.g. Call Conferencing, Toll Fraud, Identity Theft and Traffic Pumping)
- Robocall Attacks
- Fuzzing Attacks (e.g. Malformed protocol messages and multiple message types)
- Eavesdropping (e.g. Call Pattern Tracking, Number Harvesting and Voice Mail reconstruction)
- VoIP & UC Network Interception and Modification
- Device Configuration Weakness
- Voice & Telephony Denial of Service (TDoS) Attacks
- Device and OS Vulnerabilities
- IP/TCP Network Infrastructure Weakness
- VoIP & UC Protocols Implementation Vulnerabilities
- SIP BotNet attacks
- Signaling Manipulation Attacks
- Fraud Attacks – Wangiri, IRSF and many others
- Media Manipulation Attacks
- SPAM over Internet Telephony (SPIT)
- UC Infrastructure Threats (e.g. Voice, Media, IM, Web, UC & Collaboration)
- UC Application Layer Threats
- Data & Voice Threats (e.g. SQL Injection, Malware, Viruses, and Buffer Overflows)
- Voice Phishing
Recent Costly Cyber Attacks:
- NHS ‘WannaCry’ attack – UK spending £46m upgrading infrastructure
- TalkTalk data breach continued customer data theft fallout
- DDoS attack using 6 million unencrypted exposed SIP services on port 5060 / UPD in Germany creating a powerful SIP-based DDoS
UC Threats in the News:
- Allied Telecom Selects RedShift for UC Threat Detection and Fraud Prevention
- Cost Realities of VoIP Security Webinar on Demand
- Telecom Engine Article from Katia Gonzales, chair of the non-profit i3forum Fraud Group, detailing three (3) primary threat vectors in VoIP Telecom fraud: While there are many types of fraud permeating telecom services today, there are three main categories operators should be paying close attention to:
- Voice Fraud
The most common – and financially painful – international fraud schemes are voice-based, generating illegal or abusive voice calls for profit and costing operators millions in revenue annually. International Revenue Share Fraud (IRSF) is one of the most widespread types, increasing six-fold since 2013, with measured losses growing from $1.8 billion to $10.76 billion. With IRSF, criminals gain access to operators’ networks and make repeated calls to premium rate numbers or international calls to destinations with high termination rates, racking up large bills for subscribers and forcing operators to pay out call termination charges, which scammers then get a share of.
- SMS Fraud
This type of fraud exploits the fact that text messages sent internationally can be routed across multiple different routes to their destination, each with a different cost attached to it. Hackers are using unauthorized or even illegal “grey or black routes” to deliver the messages at the lowest possible cost, depriving operators of legitimate termination revenues. They also take control of operators’ SMS Centers and send malicious traffic all over the world, soliciting consumers to make calls to premium numbers. This traffic often contains viruses or other malware that infects the recipient’s phone.
- IPX and Signaling Fraud
Criminals are exploiting vulnerabilities in and between today’s networks, which interface with hundreds of other networks globally, to commit IPX and signaling fraud. In SS7 signaling fraud, which spreads quickly from operator to operator, criminals exploit signaling vulnerabilities during roaming and international calls to hijack a subscriber’s phone and send spam SMS messages to their contact list. Other attacks in this category gain access to roaming subscribers’ personal data, spy on user traffic and sell sensitive data to other criminals, while still others distribute malware to roamers. For example, often a mobile virus within an app appears normal to the user but is running activity in the background, sending huge amounts of data back to its host and causing users to inadvertently incur huge bills.
Read the full article at telecomengine.com »