Hello, welcome to the Thursday, August 18, 2020 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm yet again recording from Jacksonville, Florida, which you may be able to tell by the thunderstorm and rain in the background.

These last couple of days, I spent some time looking at SIP traffic to play with

the Real Tech SDK vulnerability. And as part of this sort of overall experiments, I also set up a quick

asterisk server. What surprised me, and I guess should not have surprised me me was how much this increased the voice over

IP scanning traffic that was seen by this server. Now voice of IP or zip traffic is

quite commonly being used to scan random systems. It often makes one of the top 10 ports in our list. But as soon as I set up

this server, the number of hits per IP went up easily by a factor of 100. And this was a very

simple setup. The server didn't really allow any phone calls.

It just sort of was basically just accepting packets and returning permission denied.

There were sort of two kinds of attacks or scans that I noted.

One was where basically someone just tried to call a number via my server. The second one

was where they actually tried to register an extension with this voice or IP server, which then, of

course, would have allowed them to impersonate whatever company runs that particular server.

And the two most called numbers also sort of matched a common

exploit activity that's seen in exposed voice over IP servers. One number was in the Palestine

territories. Quite often in areas like this that are sort of not included in unlimited calling plans and such.

People still worry about the cost of calls.

And of course, that leads to them attempting to use unprotected voice of IP servers.

The second one was a number in Chicago.

This may have been attempt sort of to use it for scam calls.

Of course, using some badly configured voice over IP server makes it easier to hide the true

...