cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
677
Views
5
Helpful
5
Replies

H323 Gateway hacked

mannycho
Level 1
Level 1

Hello,

Recently had a h323 gateway hacked and fraudulent calls were made out of the gateway. The Gateway has a T1 PRI to telco and LAN ip is private protected by firewall. I am assuming the criminals were able to call the company DID number, enter some key codes and obtained a secondary dial tone and started making calls. Below is my inbound dial peer

dial-peer voice 1 pots
description *** Match Any Inbound Number via T1 PRI ***
incoming called-number .
direct-inward-dial

How can i protect my voice gateway from been hacked. Also, the company DID hits unity auto attendant, so i guess the criminals are able to enter key codes that allow them to get a secondary dial tone when they hit the unity auto attendant

5 Replies 5

I would not call it that your gateway has been hacked per see. It’s more like the ill willing individual(s) have exploited gaps in the configuration at hand. The most common cause of these types of exploits is that the inbound calling search space used on the gateway and/or the connection from CUC includes partition(s) that gives access to do external calls. In general there are no need to grant this to the gateway nor to the CUC system as the calls coming from the calling (external) party would for the most be directed to an internal extension. For the CUC part it would as well be advisable to look into the restriction table to verify that there are no unnecessary patterns allowed. The general advice would be to allow the needed patterns to limit what can be called to only the bare minimum.



Response Signature


Hacking is the gaining of unauthorized access to data in a system or computer. Key there is unauthorized whether it was not properly securing the system or securing it as best as you can, and the ill willing individual still found a way to get in. In any case let me inform this forum how they got in. It was not by calling the auto attendant, they came in from the expressway edge using bogus sip source like 56124@mydomain.com with the SIP destination as international number. It was like robo-calls. A bunch of them got rejected by our CUBE 403 forbidden and 404 not found, but some calls went through. The fix was to configure call policy on the expressway edge to reject all calls from the Default zone (internet) and allow calls from specific domains like cisco.com

I can still see them trying to make fraudulent calls, but they are all now forbidden and i am not even seeing the call history on expressway core, which is a good thing. Cisco TAC helped me identify the issue, hopefully this helps someone else. Until the next time we get another HACK

Sounds like you’re Expressway have access to partition(s) that gives access to external call routing. I would advise you to change this. As call that comes in through your Expressway should be targeted to your own “internal” numbers it should not need to have access to any partition(s) that is used for external call routing purposes. You are advised to check the CSS used as the incoming calling search space on the SIP trunk for your Expressway and make sure it only has the necessary partition(s) to route calls to directory numbers that you host in your CM system(s).



Response Signature


CUC has  restriction table.if you don't configure this properly the callers can reach out to your AA and dial international numbers. If some one make user of CUC  AA to dial International I cannot call this as hacked, The engineer who configured kept the door open for  some one to use this.

137782-unity3.jpg.png

you can modify the inbound dial peer to more better match instead of "."

dial-peer voice 1 pots
description *** Match Any Inbound Number via T1 PRI ***
incoming called-number 24559...  >>> to match my 8 digit DID start with 24559
direct-inward-dial

 

You must configure Ip address trust list.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/manual/cmeadm/cmetoll.html

Cisco announced support for  H323 protocol, you must think of moving  to SIP.



Response Signature


Jonathan Schulenberg
Hall of Fame
Hall of Fame

Assuming this is an older gateway since you’re using H.323, it’s also possible that another device on your internal network has malware installed that port-scanned the network, noticed the router was listening on the well-known port, and started sending malicious calls to it. I have seen this happen.

In current versions the ip trusted-list feature is an easy way to mitigate this risk (unless some fool turned it off or permitted more than CUCM’s IP addresses). In older routers, before IOS 15.1(2)T IIRC, you would need an ACL to drop H.323 traffic from everything except CUCM.

Another gateway-focused resource:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/manual/cmeadm/cmetoll.html