PBX Hacked and Scheduling when calls are allowed


#1

one of my systems got hacked and had 5000+ calls made between 12pm saturday and 6pm sunday.

Two questions:

I’m pretty sure I saw somewhere where it was possible to block outbound calls based on a schedule (except 911 of course). Is this possible in FreePBX and if so where?

secondly, I know the extension from which the calls were made. It’s a softphone extension used on the owner’s cell phone. How do I go about tracking down how this happened?


(Itzik) #2

You can tie an outbound route to a time group, create a separate emergency outbound route to allow emergency numbers without any restrictions, and move it to the top.


#3

ok, I figured out how to set up a time group in the outbound route. Now onto the harder issue, figuring out how the hell this happened


#4

Thanks PitzKey, found it myself but very much appreciate the reply.


#5

All calls were made to a california number that appears to be a legitimate number. I’m not sure what the game is here or why. Clearly this was a script as there were several calls made per minute and all to the same number.

Anyone have any clue as to what the point of this may be and how they may have gotten into the PBX? the extension password is huge, intrusion detection is on (and working), the PBX is behind a firewall.

What logs should I preserve to help diagnose this?

Thanks.


#6

I found this in the asterisk full log just prior to the calls starting

[2021-06-26 12:17:58] VERBOSE[2431] chan_sip.c: Registered SIP ‘1001’ at 45.130.97.134:8360

that IP is from Israel, Gaza to be precise. So somehow they were able to register to an extension and begin making calls.


(Itzik) #7

Three possibilities.

  1. The password is a unsecure password.
  2. The SIP credentials were emailed to the user and their email account got hacked.
  3. The password was stored in a unsecure place, or it is in EPM and is exposed publicly.

However, IMO: blocking outbound calls is a fat band-aid. You should first change the password, allow SIP access from trusted sources and then try to figure out how they gained access.

A while ago, I discussed on the #OpenSourceLounge how you can use an existing tool in FreePBX to implement a sort of 2FA on every outgoing call.

I was planning on presenting this at AstriCon as well as other techniques how to detect and get notified when there’s possible malicious activity on your PBX. But unfortunately, the AstriCon dates do not align well with the Jewish holiday of Sukkot. So maybe next year…


(David55) #8

Which is a well known hot spot for telephone fraud, and if you have to operate black list, rather than the preferred white list, filtering of callers, should be on the black list for most systems.


#9

Which is a well known hot spot for telephone fraud, and if you have to operate black list, rather than the preferred white list, filtering of callers, should be on the black list for most systems.

@david55 how would I blacklist an entire region without some geo-ip capabilities? how would a blacklist help if I don’t know the numbers to be called or calling from?

the other question is what the hell was the point of just calling a single number over and over again? just to ring up a bill for a random person? what’s the point?


#10

@PitzKey

Three possibilities.

  1. The password is a unsecure password.
  2. The SIP credentials were emailed to the user and their email account got hacked.
  3. The password was stored in a unsecure place, or it is in EPM and is exposed publicly.

1 is not the issue, the password is 30 characters long with a mix of upper/lower case, numbers and special characters. So if they’re guessing that we have bigger issues.

2 This is a possibility especially as this is the second time with this user/extension. Password was changed/strengthened the first time

3 How would the password be exposed publicly through EPM?

However, IMO: blocking outbound calls is a fat band-aid.

Absolutely agree on that…


(David55) #11

I don’t know what the crime model is in this case, but is it possible that they are dialling a raw international number, but you treating part of it as code to route to the PSTN. Other less likely cases are:

Distributed Denial of Service on the target number;

Testing whether you are likely to defend against the real attack.


(Lorne Gaetz) #12

If you are provisioning phones via EPM or some other method, then provisioning services (tftp, http(s), etc) must not be exposed to untrusted source IPs.


#13

@david55
they were dialing a local number in California, I traced it’s owner. The voicemail that answered the call however reported a different phone number (also california) which I again traced and came up as the same owner/address. So it appears the first number had a forward to the second. Sounded like a generic cell phone vm greeting.


#14

@lgaetz

If you are provisioning phones via EPM or some other method, then provisioning services (tftp, http(s), etc) must not be exposed to untrusted source IPs.

Then how would someone be able to use a softphone app on a cell phone? There’s no way to know what IP address the registration will come from. (unless I’m mis-understanding what you are saying)


(Lorne Gaetz) #15

You are. SIP registration and phone provisioning are separate services, access to which are controlled independently.


#16

You are. SIP registration and phone provisioning are separate services, access to which are controlled independently.

ok, I see what you are saying now. I’ll check the provisioning and lock it down if not already.


#17

@lgaetz

TFTP is the only provisioning protocol active.

The specific extension WAS in EPM and shouldn’t have been as it’s a soft phone and not a physical phone. I’ve removed it.

We do have one offsite phone that is provisioned via EPM. I assume adding it’s MAC address to EPM would prevent anyone from provisioning a different phone on that extension?


(Lorne Gaetz) #18

There are no security features in EPM. If you have entries in extension mapping, then you have provisioning files on the system with enough information to allow a SIP registration to the PBX. These files must be protected. If you expose any provisioning service to untrusted traffic, malicious users will spend all day every day trying to guess a filename. Once they do, they can download the file and register to the PBX using the file content.


#19

@lgaetz

There are no security features in EPM. If you have entries in extension mapping, then you have provisioning files on the system with enough information to allow a SIP registration to the PBX. These files must be protected. If you expose any provisioning service to untrusted traffic, malicious users will spend all day every day trying to guess a filename. Once they do, they can download the file and register to the PBX using the file content.

Ok, I’m seeing what you’re saying now. So then how would I go about handling this scenario? User has a desk phone at home that is an extension on his PBX in the office. His home internet IP is dynamic so no way to know what the IP reliably. How can I secure the TFTP AND let his home phone connect and provision to the office PBX?


(Greg Snover) #20

The phone should only have to re-provision when changes need to be made - you can temporarily add it’s IP (look in reports to get the IP) to the firewall as a trusted (local) IP, let it provision, and then remove the IP back out of the firewall - we do it all the time.

TFTP should ONLY be allowed from trusted IP’s - never public.

What phones are you using though - almost all brands (at this point) will use FTP at the least as a provisioning protocol - HTTPS would be even better, but at least they would have to hack/guess the FTP Login/Password to get in - TFTP is WIDE open.

Responsive Firewall will allow connection from the “Wild” without opening anything on the Firewall.