VCS-Expressways hacked from the Internet - Warning

gfolens · ‎01-24-2012

Hello,

I already found 2 cases where a configuration with VCS-Expressway/VCS-Control and ISDN gatewat was hacked from the Internet.

Apparently the hacker first scans the Internet for a VCS-Expressway. I've no idea how this is done but I guess it is via SNMP or HTTP requests.

Once a VCSExpressway is found the hacker tries to make calls via the ISDN-gateway. First they gues which prefix to be used; Most common are 0 or 9. But apparently hey also manage to find other prefix like 50 or 40.

Then during the weekend and night they start to make calls using a SIP UA.

In all cases the dialled numbers are based in Cuba and all calls have random numbers, eg: 0005352634021,0005352454010,...

Theses calls come in on the VCS-E as SIP in the form: 90005352634021@"ip-address of VCS-E".

Most of the dialled calls are Unanswered - so I guess this is a DoS attack.

To stop these attackes I put a CPL on the VCS-E which blocks all calls to the ISDN-gwy prefix.

rgds, Geert Folens.

Tomonori Taniguchi · ‎01-24-2012

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-0.pdf

Please refer page 41, Step 16: Restrict access to ISDN gateways, to prevent what mention in above.

You may want to have registration restriction configuration on VCS Expressway together with restriction access control (please refer page 40, Step 15: Registration restriction configuration).

Best regards,

Tomonori Taniguchi

hight · ‎01-24-2012

Please also see the recomendations in "Cisco TelePresence Video Communication Server Basic Configuration Cisco VCS Control with Cisco VCS Expressway Deployment Guide (X7.0)" ... or the latest version of this guide. Please look at the section: "Restrict access to ISDN gateways".

This is one of the configuration guides available at:

www.cisco.com > support > VCS > configuration guides

hight · ‎01-24-2012

Great minds think alike Tomo

Thanks

Paula Talamo · ‎01-25-2012

In addition to the above referenced document, check out the Cisco TelePresence Hardening Guide for addtional information on securing your TelePresence solution. We encourage folks to open a TAC case if you need further investigation.

gfolens · ‎01-25-2012

Unfortunately the Telepresence Hardening Guide does not exist in pdf...

Garvan Long · ‎01-24-2012

This is also possible if you have a SIP trunk to a Call control that has PSTN access. The search rule method suggest to block this is more scalable an allows for registered users to use the gateway of SIP trunk for PSTN access.

I also put a # in GW prefixes as this terminate the dial plan and prevents hairpinning on via the gateway IVR or any other IVR that consults the call control for dialed digits

Baisc CPL ( admin policy) is realtive easy to get around if implemented with source aliases and wil cards

Garvan

Jens Didriksen · ‎01-26-2012

I'm seeing the same thing now, majority ofl numbers dialled are in Libya and a couple in Egypt, - appropriate search rules - and the rest - implemented, so that should hopefully be that.

Edit:

Looks like they've given up on us - was funny watching the scans and seeing them all fail though.

Please rate replies and mark question(s) as "answered" if applicable.