Though most of this appears to be happening in Australia, the information from SANS suggests the problem is more widespread and not being reported publicly. A recommended tool, SIPVicious, is mentioned by SANS and available at the URL cited at the end of this posting.
" " Australian network companies have told of clients receiving " phone bills including $100,000 worth of unauthorised calls " placed over compromised VoIP servers. Smaller attacks have " netted criminals tens of thousands of dollars worth of calls. " " A Perth business was hit with a $120,000 bill after hackers " exploited its VoIP server to place some 11,000 calls over 46 " hours last year. " " VoIP networks are a cash cow for criminals who can earn money " from unscrupulous telecommunications carriers profiting from " calls placed over victim's networks or to ramp up calls to " premium numbers. " " The genesis of the practise dates back some two decades when " phreakers busted into phone companies to make free calls. " VoIP attacks are now an established practice but victims are " still easy pickings for criminals. " " Local network providers and the SANs Institute have reported " recent spikes in Session Initiation Protocol (SIP) scanning " ? a process to identify poorly configured VoIP systems ? and " brute-force attacks against publicly-accessible SIP systems, " notably on UDP port 5060. " " Neural Networks noticed two VoIP attacks that left customers " with thousand-dollar phone bills over a Sunday night after " weak client passwords were exploited. Calls had originated " and terminated in three different countries. " [...]
also " " A hacker recently obtained unauthorised access to the IP " telephony (VoIP) system of a Perth business, making 11,000 " calls costing over $120,000, according to the Western " Australian police. " " The calls were made over a period of 46 hours, the police " said, and the business only became aware of the imposition " when it received an invoice from its service provider. " " Thieves have always targeted PBX systems by finding numbers " used for remote calling ? for mobile employees or those " requiring international call access outside of business " hours ? to make calls at the company's expense. " " This has in the past been exploited for uses such as routing " calls made on cheap international phone cards, according to " Pure Hacking senior security consultant Chris Gatford. " [...]
and " " We observed an increase on UDP connections that use UDP " port 5060. This port is typically used for VoIP connections " using the SIP protocol. The activity is indicative of " attempts to locate weakly-configured IP PBX system, " probably to brute-force SIP passwords. Once the attacker " has access to the account, they may use it to make or " resell unauthorized calls. The attacker may also use " the access to conduct a voice phishing (vishing) campaign. " " We observed a similar up-tick a few months ago. At the " time, the activity was attributed to SIP brute-forcing " that probably originated from systems running in Amazon's " EC2 cloud. " " As described on the Digium blog, publicly-accessible SIP " systems are seeing large numbers of brute-force attacks. " Systems with weak SIP credentials will be compromised, " similarly to how email accounts can be compromised by " guessing the credentials "The significant difference is " that when someone takes over a SIP platform to make " outbound calls, there is usually a direct monetary cost, " which gets people?s attention very quickly." " " One way to review your SIP exposure is to use the free " SIPVicious toolkit. Interestingly, SIPVicious now " includes a tool for crashing unauthorized SIPVicious scans. " [...]
SIPVicious is available here: