Had a security breach on an extension this morning.
Extension password is a twelve digit alpha-numeric code with a tested working fail2ban process in place.
Thus, brute force intrusion is unlikely.
This PBX has about eight extensions, with only one affected. Looking in the logs, they look clean with no usual activity, or access.
In fact the fail2ban log shows zero password failures in the entire log for that extension, except for today when I changed the password and the legitimate phone tried to authenticate.
So it appears the intruder was able to obtain the password someway.
On a note the extension is in private residence, connected to a router, with the voip phone with he default admin/admin credentials in place.
I would suggest that the default admin/admin login is your problem, you don’t mention the phone in question or your network configuration at all ends, if the router at the “private residence” forwards udp/5060 connections to the phone, then that is where the problem starts and then gets worse.
The admin/admin password means that someone connected to the actual phone and started their shenanigans from there. The admin panel on the phone probably has an option to show the password, which in turn gives the attacker carte-blanche to make all the calls from all of their criminal buddies’ phones they want. Once the external 5060 from the router was turned off, the hole was closed, but if you open it up again, expect the same problems to occur.
From a purely administrative perspective, you should avoid putting your server and your phones in a network position to be accessed from outside the local LAN.
Actually I have stated again and again, just don’t listen on 5060 or anything close for your sip connections server or phones . if your provider is not compliant with that then write a rewrite rule on your router for that recalcitrant entity to your new less visible sip bound port.