Vulnerable VoIP

The Network: A law firm with many offices worldwide who supplements their team with Netsurion Co-Managed SIEM services. Business VoIP has also been implemented for its many benefits.

The Expectation: The business gains the benefit of VoIP including flexibility and cost savings without compromising network security.

The Catch: Netsurion’s security SOC analysts observed a flurry of INVITE and REGISTER messages allowed by the firewall. The originating IP Address has a bad reputation according to AbuseIP. 

The Find: The SIP protocol is known to be vulnerable; possible workarounds include filtering or blocking all SIP traffic with source and destinations UDP port 5060 and TCP ports 5060 and 5061. This however, was not possible because the target was an A/V server which must accept connections from external IP addresses.
An IPS is also available but is configured in passive mode. Therefore, it does not block such traffic despite recognizing it as problematic.

The Fix: To start, block the attacker IP address. Upgrade to an active IPS so that such traffic can be blocked on detection. Apply all available updates to the target machine to minimize the attack surface.

The Lesson: Business VoIP provides benefits, but network traffic must be monitored for cybersecurity attacks. Port 5060 is a common target, the attack pattern being scanning, enumeration, and brute force password guessing, followed by abuse. Attacker motives include anonymity, abuse of the premium rate telephony model, and reselling VoIP and exploiting PII (personally identifiable information).