ECGSA-18A: Evidence of Botnet-assisted SIP Attacks exploiting SIP-UA

Original Release Date: September 19, 2018. Updated 18:19 UTC

Systems Affected

SIP Service Providers and Enterprises

Background & Description

SIP based Enterprises and Service Providers (SIP Operators) that provide SIP UA configuration files (such as for Cisco, Polycom, Yealink, Mitel devices), but which do not authenticate those downloads effectively, are vulnerable to attack by having those configuration files downloaded. The configurations contain SIP servers and authentication credentials; when disclosed, attacks can be launched against those SIP networks. In the past, firewall rules were sufficient authentication by confirming that downloads originated from known networks.

In attacks September 19, 2018 (UTC), evidence emerged that attackers are successfully retrieving the SIP UA configuration files including authentication credentials, REGISTER, and launch outbound calls via SIP to high-cost destinations, even in networks where IP access lists and firewall rules are in place to limit access. The attack methods appear consistent with use of botnet agents installed within the networks of the attacked entities. These attacks are succeeding in production, Interconnected Voice networks that do have firewall rules and access lists in place.

Key traffic-pumping destinations in this attack are in country code +224 (Democratic Republic of Congo) and to +1-876 (Jamaica).

The observed use of legitimate user IP address space from which to launch SIP attacks represents a substantial escalation in the strategy used by attackers.

Impact

Even with strong SIP authentication and firewall rules, SIP Operators may be exploited for fraudulent economic benefit of the attackers. Toll fraud to high-cost destinations based on traffic pumping can create substantial costs for SIP Operators, and for potentially theft of confidentiality.

Remediation

ECG recommends the following immediate measures to prevent this type of attack:

1. Use TLS with Client Certificate Authentication to restrict SIP-UA configuration to ensure that only legitimate devices with manufacturer-signed client TLS certificates ("manufacturer installed certificates", or MICs) are able to download configuration files. For SIP UA Configuration platforms that do not have intrinsic TLS Client Certificate Authentication and Authorization support, implement an intermediate HTTPS proxy to verify client certificates.
2. After limiting SIP UA Configuration Downloads to be restricted by TLS and Client Certificate Authentication, therefore ensuring attackers cannot retrieve the SIP authentication credentials, update the SIP authentication credentials to use SIP passwords of 12 characters or longer.
3. Block outbound calling to high-cost destinations whenever possible.
4. Manage firewall rules to minimize access to SIP-UA Configuration Servers.
5. Monitor for outbound calling to high-cost destinations and block attacks, using toll-fraud monitoring tools.

Compatibility

The SIP UA models can operate without TLS Client Certificate Authentication on Config, but have been reported by the manufacturers to have the capability.

• Aastra 6700, 6800, 9000
• Alcatel-Lucent 80x8
• Audiocodes 400HD
• Cisco 8800
• Panasonic KX-HDV
• Polycom VVX
• Snom IP Phones
• VTech VSP, VCS,
• Yealink IP Phones T2xx, T4x, T5xx

References

• Cisco 8800 3PCC Administrator Guide for HTTPS with Client Certificate Authentication
• Device Certificates on Polycom Phones (FP37148)
• Using Security Certificates on Yealink IP Phones (V81 20)
• Aastra 6700i, 6800i, 9000i SIP IP Phone: TR-069 Configuration Guide
• ECG Fraud Monitoring Service, Fraudstopper
• F5 Labs: Client Authentication

Contact

• Contact ECG for review and security remediation
• Technical Reviewers: James Puckett, Mark Lindsey, Brian Tate, Senior Members of Technical Staff, ECG
• info@ecg.co, +1-229-244-2099

The information you have accessed or received is provided "as is" for informational purposes only. ECG, Inc. ("ECG") does not provide any warranties of any kind regarding this information. In no event shall ECG or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.

ECG does endorse certain commercial products or services, including in some cases the subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by ECG.