I use an asterisk server at home to provide phone services over SIP. I have two SIP providers, internode (aka nodephone) and engin.
After I came back from a long vacation last week (long service leave is nice!) I got a message from internode telling me my SIP service had been suspended due to suspicious activity. I had a look at my asterisk logs, and found that while I had been away my asterisk box had been busy making calls to various unusual places, especially North Korea and Somalia. I do fair number a lot of overseas calls, especially to the US, Germany and Sweden, but this certainly didn’t look legit!
I looked a bit more into my logs and found that I’d been compromised twice – once on June 1st and another time on June 15th. The first attacker only made a couple of test calls to Romania, Sierra Leone and Zimbabwe, plus one to North Korea. The second attacker took a lot more advantage of their ill-gotten SIP secret however, and made 151 calls, most of them to North Korea plus some to Somalia.
What the logs show is that the attacks both followed the same pattern. Both attackers first scanned extensions, trying all 1 digit extensions, then all 2 digit extensions then all 3 digit extensions etc. From that they found the list of five 4-digit extensions that were active on my asterisk box. Then they went back and brute-forced the SIP secrets on those extensions. Unfortunately I had chosen digit-only secrets when I first installed asterisk (thinking it may help with setup on keypad only devices) and I’d never changed them. Not a good idea! They needed a total of about 39k SIP auth requests to find the secrets.
Of course, this service was never intended to be exposed to the internet. The way it had become exposed was that I had been trying to track down a call dropout problem with engin, and thinking that they may be using a variant of the asterisk “try an OPTIONS request every few minutes to see if the other end is still there” approach, I temporarily had allowed UDP port 5060 through my firewall. Of course I then forgot to disable it again once I determined that wasn’t the problem. Darn!
Luckily whatever the people had to say to the person they were calling in North Korea wasn’t long – the calls were all about 5 minutes long (suspiciously close to 300 seconds actually – maybe they had dropouts too?). It still added up to a fair bit though – over $250 worth of calls. Ouch!
I contacted internode and they re-enabled my SIP account once I changed my internode SIP password (it wasn’t actually my internode SIP password that was compromised, but this was still a very reasonable precaution). At the suggestion of Travis, a very helpful internode helpdesk person, I put in a feedback request describing what happened, and they very kindly agreed to credit me with the charges for the fraudulent calls. That was a very nice surprise! Internode do seem to be well ahead of the crowd in customer service. Of course, this was a one-off gesture of goodwill, so it would not be a good idea to rely on this sort of generosity.
The calls made via engin were a bit strange. They showed up in my asterisk logs, but didn’t show up in the engin web call log or billing interface. I rang and asked engin about that, and a helpful person called Erick assured me that the bill was correct, and I wasn’t going to receive a big bill later. Perhaps someone at engin had already stripped their logs of calls to North Korea after someone else was hit by this?
Meanwhile, I’ve now got long random passwords in asterisk, and I’ve fixed my firewall. I’ve also setup a little UDP logger on port 5060 to grab any future attempts anyone makes to brute force my SIP service (just for amusement value, I’m curious to see how often I get scanned).
I wonder who was at the receiving end of all those calls to North Korea?