Solved

SIP Shoretel Hacked

Posted on 2014-02-03
13
1,835 Views
Last Modified: 2014-02-17
So, we have had our shoretel hacked.  Informed by our Comms provider.

Trying to get to the bottom of how, why, how to stop etc.

We had an international barr in place till the 28th Feb,
The hack occurred on the 1st and 2nd feb,

The comms co are not giving much away, so need help.

Thanks
0
Comment
Question by:CHI-LTD
  • 6
  • 5
  • 2
13 Comments
 
LVL 15

Assisted Solution

by:Phonebuff
Phonebuff earned 250 total points
Comment Utility
Have you called Shoretel support ?

Is the box protected by a Firewall ?  

Have you done a password audit / changed them all ?

If it were an Asterisk box I would tell you to start over from bare metal, not sure what your options are from Shoretel.
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
not spoken to shoretel.
we have a firewall in place and also ingate.
not till now.

surely a shoretel security issue?
0
 
LVL 15

Assisted Solution

by:Phonebuff
Phonebuff earned 250 total points
Comment Utility
surely a shoretel security issue?

No, not necessarily.  Most, no all, successful attacks in the VoIP world are from poor administrative practices not exposures in the solution being used.  

we have a firewall in place and also ingate.

Are you white listing the connection sources, or just letting everything through on the SIP command ports 5060-50nn.   What about SSH and HTTP ?

Again you should talk with Shoretel as a start.
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
They say its mailbox passwords being simple, however my view is that these should have been complete enough during deployment and also the system should enforce complexity right?
0
 
LVL 15

Expert Comment

by:Phonebuff
Comment Utility
Nope, most systems do not enforce password rules for voice mail boxes, or end points.  It's the administrators responsibility to know the environment they are in and enforce the correct security policy.  Also, it's never a good idea for an administrator to enable dial through support.
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
dial through support?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 15

Expert Comment

by:Phonebuff
Comment Utility
You get into a Voice Mail box an can then dial out again, also refereed to as dial through.
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
ah thought as much.  yes, i believe this was enabled...  is this on each mailbox or COS?
0
 
LVL 15

Expert Comment

by:Phonebuff
Comment Utility
Sorry, but I don't know.   My Guess from many years ago is both...
0
 
LVL 17

Accepted Solution

by:
JRSCGI earned 250 total points
Comment Utility
ShoreTel does not support dial-through on mailboxes to get an outside line.
You can set the mailbox passwords to expire (under class of service) but there is not a "required complexity" setting.
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
Surely then any hack of a SIP system is either the ISP, Comms Installer or Shoretel themselves at fault?
0
 
LVL 1

Author Comment

by:CHI-LTD
Comment Utility
Here is the report from our comms co.:


On the 3rd February is was reported that companyA  telephone lines had seen a large amount of outgoing International Calls placed over the weekend of the 1st and 2nd February.

A call was raised by the Comms Co. (job number J382979) at 12:02pm as it was suspected that the calls were fraudulent.

At 12:53, the call was picked up by User of Comms Co. technical support team, to establish how these calls were made through the ShoreTel system. At 13:10 the remote access was opened by Users at companyA.

We first ran a call detail report for the 1st and 2nd of February, and identified a large number of incoming calls to the Auto Attendant with a CLI of 100, 123. 10100, 1 etc. The number dialled was firstly a SiteB number labelled ‘Main Incoming’ and later again a SiteB Number labelled ‘User SiteB’ which both terminate on the SIP Trunk provision at SiteA. What appeared suspicious was that there were no outgoing calls logged to any international numbers in the CDR report. (These calls were probably calls for ‘probing’ purposes).

We checked the system for the standard security configurations that prevent voice mail phreaking (voicemail external call back, voice mail external notification and find me) and were confident that this was configured correctly to prevent voice mail break out, as the user group ‘voicemail notification’ had the relevant parameters including trunk to trunk, disabled. It was noted that 18 extensions were reported as having ‘simple’ passwords as a result of running the IDLint tool, and the list of the non-compliant extensions, was passed to User.

We then configured a DDI number to route to the Auto Attendant and tested the ability to break out from Auto Attendant, and we confirmed that break out was not successful.

The investigation was then moved  on to the TMSncc log, which provides detailed information about all calls that arrive / made by the ShoreTel system.

Here it was identified that the calls were arriving at the ShoreTel and then being immediately routed out, and what was suspicious within the logs, the ‘dialled number (DNIS)’, was being shown as 8+0022891****** or  8+0035569******* or 9+00*********.

Our conclusion as to how the hacking occurred is as follows :-

The hackers were sending an Invite SIP message towards the Ingate SBC spoofing the TO:- address with initially 800xxxxxxxxxxxx (where xx is the international number)and later 900xxxxxxxxxxxx. It is assumed that the hackers were also spoofing the From:- IP address with Gamma’s signalling address (wan ip), (but cannot be proven as we don’t have a packet capture at the time the fraud was occurring), the Ingate SBC is correctly configured to allow traffic in ONLY from this address, so the Ingate saw this as trusted traffic and passed it on to the ShoreTel.

The Shoretel has 3 trunk groups configured two with an access code of 8 and one with an access code of 9, when the call was received by the ShoreTel it would see the 8 or 9 initial digit and would automatically access a new trunk from the relevant group, dial the remaining digits (International number) and tandem switch the incoming call to the outgoing call. The cost of the outgoing call would then be charged to Church House Investments.

The ability to route an incoming call directly to an outgoing call is provided by a feature called ‘Tandem Switching’, Tandem switching allows legacy voice systems to utilise a ShoreTel system for outbound dialing. The ShoreTel system supports both user-side and network-side PRI, allowing ShoreTel systems to flexibly support digital tie trunks to other systems. You can enable tandem trunking support for any PRI or SIP trunk group with a check box in ShoreTel Director. Tandem calls are associated with a user group for outbound trunk selection. Inbound calls recognized as tandem calls are redirected to an outbound trunk based on user group call permissions and trunk group access. When needed, a “dial-in prefix” can be specified that is prepended to digits collected on tandem calls. The concatenated set of digits is then used in outbound trunk selection for the tandem call.

After discussions with ShoreTel they have confirmed that there is an error in their documentation confusing “tandem trunking” with “trunk to trunk transfer” , see below;

“We recommend that the Tandem Trunking parameter be enabled (checked) otherwise transfers to external telephone numbers may fail via SIP trunks”

We have now disabled the Tandem Switching feature and Shoretel are going to amend the relevant documentation.

In conclusion there are 3 main points that allowed the fraudulent calls to be made:-

1.      The Invite message towards the SBC contained a spoofed To:- address
2.      The Invite message towards the SBC contained a spoofed IP address which was a trusted address as far as the SBC is concerned.
3.      The Shoretel SIP trunk group had Tandem Switching allowed, which allowed automatic re-routing of the incoming call to the International destination.



My questions following this would be:

1. Who is to blame for the breach?
2. Who should be responsible for the cost of the hack?
3. Is their conclusion viable?
4. SHould they not be able to track exactly how and replicate the hack from logs at SIP provider side?

Thanks
0
 
LVL 17

Assisted Solution

by:JRSCGI
JRSCGI earned 250 total points
Comment Utility
First of all, the conclusion does seem viable.  (Q3)  SIP hacking is new enough that not all procedures to protect a system / client are defined; and as usual, the hackers are ahead of the security documentation.  

The sad thing is that in the industry, contracts and business practices make it nearly impossible to get anyone to pay for the costs related to the hack.  (Q2).  Since it was a combination of settings in the ShoreTel, spoofing, and design elements (see next paragraph), you would have a hard time blaming a single entity.  (Q1)  You may be able to get ShoreTel to give you some concession (additional month(s) free on your support agreement) if you think the documentation problem is sufficient.

We reduce this type of exposure with clients by using dedicated SIP trunks wherever possible (instead of using a standard ISP circuit that carries all Internet traffic).  The physical connection eliminates spoofing opportunities.  Some clients also have the carrier block certain international destinations if they don't do any business in those areas - some are notorious for scam artists.

Because SIP messages produces huge logs for even a single call, most providers we have worked with only capture and save the logs after a request has been entered.  I suspect the storage requirements exceed any benefit - they only save the high level call info and dump the call logs.  (Q4)  Having said that, once a repair / inquiry is started, they should be able to match your calls with their logs, but that does not help much "after the fact."
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
Implementing Avaya's One-X portal is pretty painless, until you want to deploy this to the Android and iPhone clients when these clients are outside of your network. The clients will also work within your local network. Here is our experience and so…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now