bigdave1980
Systems Engineer
Hi all,
We've had an SV8100 hacked and the attacker has made a series of calls to international numbers. Most of the following is based on assumption and my limited knowledge of the system, but please have a look and let me know if this would even be possible. First off, it seems that the SIP router was not secured in that it was possible for any outside IP address to reach the SV8100, owing to an entry which was missing from the router's access control list. Secondly, the usernames and passwords were secure but it transpires that connections to the DIM port were enabled and the DIM username and password were the defaults. Having said that, I don't think somebody from outside could have reached the DIM as there was no port-forward/NAT translation on the router to take external traffic to that specific port.
However the attacker was able to get access, they appear to have created themselves a Manufacturer level user account and then used that to log into the system with PCPro or WebPro.
Once in the system, they have changed 0 in the numbering plan from Operator to F-Route, and have set up an F-Route to take calls out over a trunk group, without adding or stripping any additional digits.
They have then dialled into one of the DDI's on the system. The DDI points at a VRS message which has 4 associated AA single digit options. The first option points at a virtual extension which is on a call forward always to an external number. This is normal and has not changed. The other 3 options all point at a loopback which in turn points at a department group pilot number - this too is normal and has not changed. All unused options simply play the same VRS message again. With that in mind, I do not know how the attacker has been able to break out of the VRS-based auto attendant and dial external numbers.
The call logs show that on several occasions the attacker only made a single call into the system, but from there they were able to make 10 or more calls to external numbers without having to hang up in between - I don't know how that would be possible?
Sorry it's a bit long, but based on the clues above is anybody able to suggest how they would have been able to break out from the VRS message to make these calls? I don't think they have done it via a mailbox as none of the AA options go to voicemail.
Thanks in advance,
Dave
We've had an SV8100 hacked and the attacker has made a series of calls to international numbers. Most of the following is based on assumption and my limited knowledge of the system, but please have a look and let me know if this would even be possible. First off, it seems that the SIP router was not secured in that it was possible for any outside IP address to reach the SV8100, owing to an entry which was missing from the router's access control list. Secondly, the usernames and passwords were secure but it transpires that connections to the DIM port were enabled and the DIM username and password were the defaults. Having said that, I don't think somebody from outside could have reached the DIM as there was no port-forward/NAT translation on the router to take external traffic to that specific port.
However the attacker was able to get access, they appear to have created themselves a Manufacturer level user account and then used that to log into the system with PCPro or WebPro.
Once in the system, they have changed 0 in the numbering plan from Operator to F-Route, and have set up an F-Route to take calls out over a trunk group, without adding or stripping any additional digits.
They have then dialled into one of the DDI's on the system. The DDI points at a VRS message which has 4 associated AA single digit options. The first option points at a virtual extension which is on a call forward always to an external number. This is normal and has not changed. The other 3 options all point at a loopback which in turn points at a department group pilot number - this too is normal and has not changed. All unused options simply play the same VRS message again. With that in mind, I do not know how the attacker has been able to break out of the VRS-based auto attendant and dial external numbers.
The call logs show that on several occasions the attacker only made a single call into the system, but from there they were able to make 10 or more calls to external numbers without having to hang up in between - I don't know how that would be possible?
Sorry it's a bit long, but based on the clues above is anybody able to suggest how they would have been able to break out from the VRS message to make these calls? I don't think they have done it via a mailbox as none of the AA options go to voicemail.
Thanks in advance,
Dave