Avaya IP Office - Security Login (SSA) - Hacking attemps successful 2

[blue42comz]

Hi All,

Hoping someone can shed some light.

We have notice a large spike in hacking attempts on our Avaya IPO's - all coming from the same external IP address (5.189.138.135).

All systems have unique passwords and all unused accounts have been disabled/deleted.

However, we have recently seen that SSA is showing "success" for "Security Login" and no further details. See below...

** We have multiple examples of the above.

So far, it appears to be R10 & R11 systems that are showing "Success" to "Security Login". I am wondering if this is a new vulnerability to the Avaya IPO's?

We have 1 confirmed system that has programming changes made (ICR was re-routed to an overseas number).

In addition, i have found many other users reporting the same issue. See below...

https://www.abuseipdb.com/check/5.189.138.135

Your assistance with understanding this issue, is greatly appreciated.

Kind regards

 

[intrigrant]

Read this and report the issue

 

[janni78]

I am wondering if this is a new vulnerability to the Avaya IPO's?

If you have public IPs on the systems or forwarded ports so you can reach them it's not a vulnerability if someone else tries to hack them.

"Trying is the first step to failure..." - Homer

 

[IPGuru]

* for Janni & Intrigant

It is considered bets practice to never expose the IP office to the public internet unless absolutely essential (& there are very few reasons why this should ever be so).

if direct access fro the internet is required (ie for a NAT* Remote Worker) then the absolute minimum of ports should be open - ideally restricted to only known IP addresses.

An SBC is strongly recommended for inbound & outbound SiP connections.


*NAT Traversal Remote handsets. I would strongly discourage the use of this technology as 96xx handsets as a VPN solution is far more robust (VPN software is included in the 96XX handsets & incurs no additional licencing cost).
the cost of a VPN router is far less than the cost of a sucsesfull hacking attempt.


Do things on the cheap & it will cost you dear

 

[intrigrant]

the cost of a VPN router is far less than the cost of a sucsesfull hacking attempt.

True, in one weekend it will cost the customer 10.000 euro or more if the line provider does not monitor exessive call rates.

 

[Ekster]

True, in one weekend it will cost the customer 10.000 euro or more if the line provider does not monitor exessive call rates.

Or if you installed the system in such a way as to make it insecure then it may cost YOU 10,000 euro



“Some humans would do anything to see if it was possible to do it. If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH', the paint wouldn't even have time to dry.”

Terry Pratchet

 

[blue42comz]

Thanks for feedback.

To be more specific.

If the security settings have been updated (all default passwords changed and all unused Users disabled/deleted).

- How is SSA logging "Security Login" = "Success"?
- And, Why are the [PC IP Address] , [PC MAC Address] & [PC Login User Name] fields blank?

FYI. Port forwards have now been disabled.

Kind regards