Hi All,
With the increased remote workers I'm sure we're not the only ones seeing more and more traffic coming via our SBC's. However it seems there is a new program using a brute-force method to connect to the IPO and start fraudulent calls.
These new attempts are showing their SIP UA as "Avaya J179 IP Phone" and as such bypassing the "Avaya Device Only" security side so the system is reliant on the complexity of users login codes. As you all know leaving something like that up to end users means there is a chance that these devices can connect and start running up the bills.
To prevent the issue you can add the Avaya J179 IP Phone, or change the whitelist to be only the devices you are actually using. A proper registration from a valid phone will have the version number after the model in the UA so you should be able to see this in a sysmon trace.
Check your systems and be vigilant.
And hopefully a nice peaceful Christmas.
With the increased remote workers I'm sure we're not the only ones seeing more and more traffic coming via our SBC's. However it seems there is a new program using a brute-force method to connect to the IPO and start fraudulent calls.
These new attempts are showing their SIP UA as "Avaya J179 IP Phone" and as such bypassing the "Avaya Device Only" security side so the system is reliant on the complexity of users login codes. As you all know leaving something like that up to end users means there is a chance that these devices can connect and start running up the bills.
To prevent the issue you can add the Avaya J179 IP Phone, or change the whitelist to be only the devices you are actually using. A proper registration from a valid phone will have the version number after the model in the UA so you should be able to see this in a sysmon trace.
Check your systems and be vigilant.
And hopefully a nice peaceful Christmas.