CTS - Avaya IP Office 9.0 Manager Being Hacke 1

[CTSLTW]

Hi, everyone

We have this Avaya IP Office 500 V2 Server Edition (Running in Linux VMware). We are administering the Avaya Voip phone via Avaya IP Office Manager ver 9.0. We are also running a One X portal and using ASBCE (Avaya SIP Box) for our One X-mobile for our Android or Apple Handphone usage to be able to call from outside back to our office.

Recently, we have been hacked into our Avaya IP Office. There have hacked into our system. And used the unconditional forward via the extension numbers and call overseas Numbers (Cuba). May I know anyone have this unfortunate experience?

Hope you guys can help. May I know how can we secure our Avaya IP Office Phone System? And where to look out for the trail or log? to prevent for future attacked... Your help will be greatly appreciated. Thank you very much.

 

[janni78]

What you need to do is to call an experienced business partner to look through this.

This can't been installed properly since you basically have what you need to be secure and still got hacked.


"Trying is the first step to failure..." - Homer

 

[hairlessupportmonkey]

Which one of these is yours then?

https://www.shodan.io/search?query=ipoffice

ACSS - SME
General Geek

 

[CTSLTW]

Hi, janni78

Thank you for your advice. We also think that we have secure our Avaya IP Office Phone System. But unfortunately it happen... Let me elaborate abit more on the setup.

External IP to ASBCE (Firewall At DMZ) with specific ports open
External IP to Avaya IP Office Manager(Firewall with specific ports open)

We have actually get the experienced business vendor to setup the Avaya but after the unpleasant event. There also have no clue where this the security loop hole. May I know where is there any trail or log? or tell tale sign we can look into the Avaya system... Thank you..

 

[janni78]

Maybe I should change the word experienced to competent.
The only reason for a system to be hacked is a lack of knowlegde. The might know how to configure the system but apparently not how to secure the system or you wouldn't be here today.
And that they don't know how it could happen is a good example of that.

For starters if you allow access to Manager from any external IP that's a huge security risk.

"Trying is the first step to failure..." - Homer

 

[janni78]

And if that's the way they got in it should show in the Manager Audit Trail who made the last changes to the system.

I at least hope the manager login isn't Administrator/Administrator on the system.

"Trying is the first step to failure..." - Homer

 

[CTSLTW]

Hi, janni78

Yes, you are right... But if we required to used the One X mobile (Sip Box) and One X portal (IP office manager) and according to Avaya ip phone system best practices. We need to open the specific ports to be able to reached the objective of using a Mobile phone to call back office to via out our Voip phone system to save cost on the phone charges...

Anybody got any ideal for the best practice to setup with One X mobile and One X portal... which we required to used for calling from external back to office Voip phone system...

As such... Anybody have any ideal what is the best setup or a more secure configuration need to be done to prevent it from happening in the future. We have followed below practice...

Avaya IP Secure Practice
All defaults passwords need to be change to a stronger passwords
disable all unnecessary account
Do not connect direct to internet

 

[CTSLTW]

Hi, janni78

The Manager password definitely not Administrator/Administrator... It has been change to a stronger password since day one when we installed the Avaya Phone System... As the Audit Trail... There is no sign of log or continuous login show on the Audit Trail...

This is the tricky part... Can there come via other ways? beside hacking into the Manager? All defaults passwords have been change... Thank you...

 

[jamie77]

Do you still have any of the following admin accounts:
Username: Manager, Password: Manager
Username: Operator, Password: Operator

Access to Security Settings:
Username: security, password: securitypwd

If you are not sure, then just try log in and see if it works.

Also, are your login codes/passwords on users of a decent strength? ie not extn number, 0000, 1234, 2580

If they could log a phone in, and they used an Avaya phone or app (to bypass SBC), they could set the forward from there and bypass programming/Audit Trail.

Jamie Green

[bold]A[/bold]vaya [bold]R[/bold]egistered [bold]S[/bold]pecialist [bold]E[/bold]ngineer

 

[IPGuru]

External IP to Avaya IP Office Manager(Firewall with specific ports open)

Have you read any of the threads saying not to give the IP Office a public IP?
Have you read Avaya's documentation on security when using remote handsets/One-X mobility.

with the ASBCE in place and correctly configured you should be able to achieve a high level of security.






Do things on the cheap & it will cost you dear

 

[mattKnight]

I really hope you have unplugged the IP office from either the internet or the power. Otherwise on Monday you are going to come back to a BIG phone bill


Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[CTSLTW]

Hi, mattKnight

Currently, we are monitoring the traffic. After the hack. I have read the "Guidelines for Securing IP Office" as well as documentation of the Avaya security of One X mobile. And done the necessary security procedure... So far there is no further incidents happen to our Avaya Phone System.

But I cannot find any trace or trail on the event of the hack happen recently to our company. May I know are there able to delete the Audit trail or log file? Is like invisible...a ghost just come and go without any trace?

May be I am looking into the wrong place for the evident? If anybody would enlighten where can we locate the log or audit trail beside the default well know location? Thank you.

 

[amriddle01]

If they used OXP or TAPI to setup the forwards then there will be no log, that's probably what they did, you can't delete entries in the audit trail and there is only one

 

[edvy123]

Guys,
quite interesting post... but this is a common hack observed in other systems panasonic and even in cisco..
Point is in other systems this has been hacked by means of voice mail system.
the conditions mentioned in above posts, mentions of call forwarding through an extension, this is the same way its done in panasonic, once somebody comes through auto attendant.i have come across this even in old Nortel systems...
but never came across this in Avaya IP office...
if anybody investigates this keeping vmpro in mind, please suggest a more secure way to block this outside dialing..

well if the user really came from SBC them offcourse if one has to know the password...

rgds
edvy

 

[janni78]

Normally it's not possible to do this through VM Pro unless you setup a custom module that made it possible.
There are a lot of other way you can hack an IP Office though, especially if you can access it through a public IP address.

"Trying is the first step to failure..." - Homer

 

[amriddle01]

This will not be a VM hack, you have to specifically set the VM up with deliberate programming to allow it, most people will not know how to do it, including I would say the OP and their BP

 

[IPGuru]

you have to specifically set the VM up with deliberate programming to allow it, most people will not know how to do it, including I would say the OP and their BP.

Actually it is quite easy to miss program an AA to allow external transfers if you set up a Dial known Extn option without taking care However I agree that this is not a VM hack it is someone using CTI or OneX
Unless these features are needed that the ports should not be forwarded to the IPO
if they are Needed then care should be taken to ensure they are secured (Unique complex passwords for every user & system account as a minimum)
Ideally additional methods should be employed at the boarder to ensure only authorised devices are allowed through




Do things on the cheap & it will cost you dear

 

[derfloh]

It's a really bad idea that OneX Mobile will use port 9443 instead of 8444 from R10 on... So direct access to 1XP user, 1XP admin, 1XP AFA, 1X WebCollaboration and WebRTC only secured by passwords. I don't want 1XP admin area available from public internet. Time to figure out how a reverse proxy with URL restriction works.