[VOIPSEC] Anyone aware of public disclosures of security incidents
J. Oquendo
sil at infiltrated.net
Tue Dec 22 08:23:06 CST 2009
Sjur Eivind Usken wrote:
> http://www.usken.no/2009/09/confirmed-four-ip-pbxes-in-norway-part-of-the-attack/
>
>
Funny you should mention Norway. I've seen a rise in VoIP based "recon"
coming from Norway and Germany within the past year. Recon in the sense
that servers are being assessed at a high rate and it doesn't appear to
be in an automated (script kiddiot) fashion. From my POV, when I've seen
VoIP based intrusions I've seen two things occur: Recon (from one
source) followed by either a brute force barrage, or compromise from
another source seconds/minutes after. I'm inclined to think that
whomever is behind the attacks that I've seen had initially probed with
a "hands on" shell/server/host/etc then come back with their automated
tool. Can't prove it, but I can say that the initial probe machine tends
to be articulate at some points whereas the second connection(s) seem to
be brutally noisy. If I had to guess it right on the nose, the initial
probe is a manual one. These (manual perceptions) in my experience have
come from no more than four places with Norway, Germany, Spain, Denmark
coming in top four. Secondary connections are scattered. I've seen
Brazil, Mexico, etc
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
More information about the Voipsec
mailing list