Mitel exploit - heads up

[RedTen]

Thought I'd post this up as it may be a useful reminder.

We've recently discovered that someone has dialed into our Mitel system via the voicemail line and then dialed out to premium rate numbers.

We believe they created a personal number from within a users mailbox. Once they'd created it they'd hang up re dial ("e.g press 9 to dial my mobile no.") and call the prem rate number.

We've had to block all users from dialing prem rate numbers whilst we investigate. Thankfully I'm not in charge of phones as this has cost us quite a bit!

Strong passwords people.

 

[KIA]

Weak password, not an exploit?

 

[RedTen]

Weak password, not an exploit?

Perhaps the wrong choice of word - vulnerability?

I'm not sure if what they did could be done by anyone or if they used an 'exploit' as such.

Just a reminder to keep safe.

 

[Venares]

Had exactly this happen at the company I work for a few years back which resulted in quite a hefty phone bill
I'm quite supprised they havent plugged this particular exploit/vulnerability whatever you want to call it by now.

 

[RedTen]

Had exactly this happen at the company I work for a few years back which resulted in quite a hefty phone bill
I'm quite supprised they havent plugged this particular exploit/vulnerability whatever you want to call it by now.

Yeah it's a bit of a worry.

I feel for any small firms that get stung - a lot of money to lose.

 

[hyperfighting]

Wow, peeps are still pbx hacking ? ;p thought most of that died when the bbs systems faded out and internet became free.

 

[gavsim]

What controller would this be on? and software version? We run a 3300 Mitel controller with I believe the latest software

 

[bigredshark]

It's not a software thing, it's people setting bad voicemail PINs and then having them guessed, then you go in, set a forward to premium rate number and then call it repeatedly. If it cost you less than £10k you should count yourself lucky. It really isn't an exploit, just poor config and security...

 

[RedTen]

What controller would this be on? and software version? We run a 3300 Mitel controller with I believe the latest software

It's a 3300 but i'm not sure on the software version, sorry.

It's not a software thing, it's people setting bad voicemail PINs and then having them guessed, then you go in, set a forward to premium rate number and then call it repeatedly. If it cost you less than £10k you should count yourself lucky. It really isn't an exploit, just poor config and security...

I know what you're saying and I guess it is having poor passwords but imo I'm not sure Mitel should have designed the system assuming a user wouldn't have a password of 1111 etc?

We all know users give little thought to security.

I assume you have some knowledge on this - is the password the only thing that could have saved the attack or should it have been configured in a way to prevent it?

 

[teaboy5]

Using mitel here, but we run call logging software, so any long or costly calls get emailed to us right away. So at least in our case we would notice right away.

 

[No_original]

Upgrade to MCD 5 helps reduce the risk, aswell as setting COS/COR properly.

 

[SoundsGood]

setting COS/COR properly.

This. Surely anyone who should have a COS allowing them to dial premium numbers has the intelligence to set a decent PIN

 

[pdhenin]

What software version are you on.

They have beefed up the security on MCD 5.0 Have you changed all the embedded voicemail mailbox passwords? administrator, manager and technition?

How have you got the COS set up for voicemail? (ie public access via dpns disabled?) public network to public network allowed set to no?

Also try and avoid sending calls straight to RADS in the speed call assignment as if you do not have the COS set right someone can break out.

Make sure you have no one with stupid mailbox passcodes like 1234 8520 0258 as if someone hits voicemail they can just * and try and log in and break out via personal speed calls. Also set the mailbox to lock out after 3 attempts and even consider 6 digit passcode lengths

Also in the COR if you know what premium rate numbers people need to dial add a rule to block 909 with the digits to follow set and then set rules for the premium rate numbers you want to allow with the full number and no digits to follow.


If you need any help let me know I work for a mitel reseller installing and maintaining 3300s and 5000s.

 

[bigredshark]

I assume you have some knowledge on this - is the password the only thing that could have saved the attack or should it have been configured in a way to prevent it?

As mentioned, lots of other ways to reduce the risk but anybody with enough of a clue to configure them *should* have enough clue to set PINs which aren't 1234 to start with.

The issue, as with a very large number of security breaches these days (and it'll likely just get worse in the future) is badly configured equipment or bad code. This is, however you put it, caused by people who don't know enough about what they're doing being responsible for exposing systems to the internet and PSTN.

 

[kippermitten]

Block premium rate dialing from the get go? 1st config point on our implementaion was just that. Then we opened up a few lines to allow it on a as needed basis with strong passwords.

 

[Nikumba]

We have a Mitel 3300 and did look at this, but since you have to be in a specific tennat group to dial premium rate, not really an issue for us, but something we are keeping an eye on.

Kimbie

 

[Hulkster]

Keep in mind it's not just premium rate numbers that you need to be aware of..any number can be an issue.

Also if using carrier pre-select be careful. If the hackers get hold of the carrier pre-select code, they can set a mailbox to use this and then dial out via that.

Sneaky so and so's

We simply disable external voicemail via the PSTN. Unified Inbox largely negates the need for it in many cases