Confirmed: At least four IP PBXes in Norway part of the attack
September 21, 2009
Posted by on
The SIP attack yesterday hit several Norwegian IP addresses, where several insecure IP PBXes were located. The attacker managed to several of these ringing the Citibank number. I have confirmed from different sources that minimum four PBXes were abused the last 24 hours. These were Cisco and Asterisk PBXes, but configured insecure. There were no abuse of security holes or similar, only totally insecure configuration.
I will recommend all IP PBX owners and VoIP Service Providers to check if it is tried calling to the Citibank number (+442075005000). The attacker has tried different prefixes in front, so search for the digits “%442075005000”.
Also check my previous blog about how to secure your VoIP equipment.