Internet service providers are seeing a spike in Voice-over Internet Protocol (VoIP) usage driven by the increased adoption of working from home during the Covid-19 pandemic. This has been reported by many companies in the space including Comcast, which has said that VoIP and video conferencing usage is up 210-285 percent since the start of the pandemic. With this in mind, it’s important to remember that whether VoIP systems are maintained internally or outsourced to a third-party vendor, they remain an extension of organizations’ attack surface that can fall victim to attackers.
VoIP systems are vulnerable to many threats including denial-of-service, metadata theft, traffic interception, and premium number scams. Threat actors can also use an insecure VoIP system as an entry point to compromise more sensitive networks or to divert attention from malicious activity elsewhere. Despite these vulnerabilities, VoIP systems do not typically receive much attention from IT departments. These systems often retain default or shared credentials and they may be overlooked when searching for and fixing vulnerabilities. So even though VoIP infrastructure plays a key role in business operations, the issue for many enterprises remains whether they would notice VoIP malware at all.
Mandiant Threat Intelligence often finds adversaries attempting to gain access to VoIP administrator user accounts through stolen or brute-forced credentials. These credential collection tools are widely accessible, meaning actors without sophisticated development expertise can compromise VoIP infrastructure. Given the breadth of activity facilitated by VoIP compromise, network defenders should consider the following possible outcomes for attackers.
Metadata targeting and voicemail theft
VoIP calling systems generate voice recordings and related metadata that is sought after by espionage- and financially motivated actors. In September 2020, ESET researchers discovered a new and rare piece of Linux malware dubbed “CDRThief” being used in attacks targeting VoIP telephony switches in campaigns designed to steal call metadata. In August 2019, Microsoft reported APT28 attempting to compromise VoIP-based phone systems as well as other Internet of Things devices. Mandiant Threat Intelligence observed threat activity we believe used FINSPY variants capable of capturing VoIP file recording, and in a separate campaign, espionage actors sent a phishing email that included a legitimate voicemail message, possibly stolen from a corporate VoIP service.
Premium number fraud
‘Call pumping’ scams are one of the most common threats to companies from compromised VoIP systems. The Communications Fraud Control Association recently estimated the losses associated with premium number fraud, or International Revenue Share Fraud (IRSF), to be between $4 billion and $6.1 billion. The scheme involves making calls from compromised phone systems to phone numbers that bill callers. The actor registers a premium call number, often overseas to charge higher rates, where they receive a cut of the charges. They then will have compromised phone systems call these premium numbers, running up charges on the victim’s account.
These scams can cost affected companies millions of dollars in illegitimate premium number charges in a short period, making it attractive to cybercrime actors. The malicious actors will often choose premium number services that bill and pay out on a weekly schedule, while most phone companies bill monthly. This way the actor can run up significant charges before the fraud is discovered.
VoIP phone systems are vulnerable to telephony denial-of-service (TDoS) attacks, where a large number of illegitimate calls prevents legitimate calls from going through. VoIP systems are also potentially vulnerable to denial-of-service conditions from additional vectors, including being flooded with “invite” requests, “goodbye,” or “unavailable” messages or similar flooding attacks. This technique is high-volume and hard to miss, which can be advantageous for attackers—these systems can be used as diversionary measures to burden network defenders while other fraud activity is taking place.
A successful man-in-the-middle (MitM) attack that enables call manipulation could be used to facilitate almost any phone-based social engineering activity, including vishing (voice-based phishing) or bypassing phone-based authentication methods. For example, if a malicious actor compromised a bank’s phone system, they could redirect incoming calls from customers to instead connect to attacker-controlled infrastructure and, under the guise of verifying the customer’s identity, compromise their account. A malicious actor could also redirect a call from a financial institution to a customer attempting to confirm a transaction and impersonate the customer to confirm the transaction.
Extortion: The future of VoIP abuse?
The compromise of VoIP infrastructure can provide actors with access to sensitive corporate information and empower them to drive denial-of-service conditions. Actors have historically used this to fuel extortion attacks, as seen with the adoption of public data disclosure websites for victims of ransomware. Even the theft of large volumes of call data may be more susceptible to extortion as automated transcription and processing of audio files could help actors identify sensitive business data quicker.
The biggest step an enterprise can take to mitigate risks for VoIP is to seriously consider VoIP infrastructure as part of the attack surface, regardless of whether it is managed internally or by a third-party. Simply put, VoIP infrastructure is an extension of IT infrastructure, and as such it demands monitoring, maintenance and auditing like any other area. Here are some tips on how to protect VoIP networks:
- Firmware for VoIP phones and infrastructure should be patched regularly, and passwords should be changed from the default.
- Multifactor authentication should be required to access VoIP accounts, especially those with administrative privileges.
- Calls to international or premium numbers can be restricted to defeat call pumping schemes, and elements such as duration, frequency and time placed should be monitored for outliers and patterns of abuse.
- Having VoIP phones run on a separate network can prevent a compromised phone from exposing data sent over the network or providing access to other machines on the network.
- Organizations should have a plan for communication methods in the event VoIP systems are unavailable—either through TDoS activity or other denial-of-service scenarios such as ransomware or destructive malware.
The pandemic has caused more employees to work from home than ever before. This scenario has driven VoIP usage upwards during the pandemic and provided a reminder of how reliant most of us are on global connectivity. Malicious actors can, and will, seize upon this dependency to damage business operations, distract from the incident response work of security teams, and profit from fraud. Organizations cannot afford to leave VoIP infrastructure out of their defensive operations.