So I’ve encountered a strange exploit being attempted against the VoIP system I maintain. Its not actually against the softswitch, though, but rather against the end customer’s ATA. We first saw this particular exploit three or four months ago, and its a rather strange, but at the same time rather ingenious in its effectiveness.
By not targeting the softswitch itself (which is heavily fortified), these hackers are able to make international calls almost unnoticed. Well, they were for the first few days until we put in another block. We still see these attacks coming in, even though they will no longer work on our system, so I know its not just our customers that are being singled out.
Its puzzling to me, though that I can’t find anyone talking about this exploit. I’m still not certain how they’re doing it, but I have a few theories.
The basic exploit works like this:
- The attacker finds a Cisco/Linksys ATA on the internet
- They somehow manage to determine what username or phone number the device is authenticating with
- They configure the ATA to forward calls to an international number
- They call the phone number determined in step 2 via the PSTN (not hitting our softswitch directly)
- The softswitch calls the ATA and it sends back a redirect to the softswitch to the international number
- The international number is a destination where they can make calls local to the PBX/softswitch serving it (also exploited, I’m sure)
- Once this path is setup, I’m guessing its published somewhere on some type of real-time notification system because calls start coming in rapidly after that.
We’ve seen an attempt on another type of ATA, but it was unsuccessful. We’ve also called the international number (there have been several different numbers attempted), which is how we know its routing calls out again from the destination.
We’ve seen it on ATA’s that do not have a publicly running web interface, so I’m guessing that its done with SIP messages directly to the ATA. We’ve been attempting to work with Cisco on this, but we’re not a large enough customer to get on their radar just yet.
These aren’t random targets, either. They know the PSTN phone number, so I’m pretty sure they’re getting it from the ATA after a scan. The exploit also doesn’t look fully automated, either. There are time delays between attempts and different phone numbers used between attempts that suggest there is a manual component to this, which is also probably why its not more widespread.
I decided I would publish this here in case anyone had seen something similar and wanted to share their experiences with it. It will at least provide a landing page for people who are Googling for this like I have been.