Archives November 2020

The following domains are for sale at best offer:

If you would like to put an offer towards one of these domains, feel free to comment here, email us at info@cyburityllc.com or give us a call.

There are four words that every business owner loves to hear: Save time and money. It’s not only music to their ears, but money in their pockets. That’s why so many business leaders are adding a cloud based predictive dialer to their marketing, sales, and customer management suites.

Increased call agent efficiency, real-time interactions, better customer experience, and improved lead management are just a few of the ways businesses are enjoying the benefits of their outbound dialer.

Make an informed decision about predictive dialing and the future of your enterprise. Keep reading to learn everything you need to know about these types of dialers.

What is a predictive dialer?

A predictive dialer is a software that dials a list of phone numbers quickly and accurately and can also return calls to your call center agents. It is a software designed to accurately predict agent availability, screen out busy signals, answering machines, and disconnected phones, and optimize the outbound call pace to connect sales representatives with leads fast. Think of it as IVR for outbound calling.

Sometimes called an “outbound dialer” or a “hosted dialer,” these systems use machine-learning algorithms so you can spend less time between conversations for your agents, as well as wait times for your customers when no agent is available. In the background, the software analyses answered calls, dropped calls, the number of active agents, and more, filtering out unproductive calls so your agents get more talk time.

While you can purchase physical on-premise hardware to accomplish these tasks, most modern companies use cloud hosted dialers instead, often integrating their software with their overall contact center platforms.

This software is a workhorse for your call center and sales strategy alike.

Why invest in a cloud based predictive dialer?

With so many business solutions being tossed at you daily, it can be hard to navigate and understand what will actually benefit your bottom line and provide a decent ROI. We think a dialer of this type can be a smart choice for any business currently using or considering adding a call center. 

1. You’re busy.

Managing your sales team, maximizing profits, delighting customers. Your plate is full. Unless you have a bunch of time to waste on hacking systems to maximize your call center agent’s task lists, you’re going to spend a lot of unnecessary energy training your staff to do mediocre rather than great work.

2. You want your sales team to be more efficient.

By automating the process of calling customers, your agents are no longer wasting their time dialing numbers. This increased efficiency means more output from your agents per hour, exponentially improving agents’ productivity by reducing their idle time and accelerating sales (your agents will spend more time connecting with potential customers than re-dialing dropped calls).

3. You want to manage your leads in a smart way.

You can integrate a cloud predictive dialer across different platforms such as phone, email, chat, mobile, social and more. This gives you better, smarter lead management. An outbound dialer can be core to unifying your messaging and communications across multiple channels.

4. You strive to provide exemplary customer service.

Cloud based dialers boast specific features that allow you to contact your leads at times that are convenient to them. Perhaps in the morning at home, over the weekend via an SMS / text message, or during the day at their office number. Or maybe, they just want to leave you a voicemail.

Stronger customer service = better brand affinity = more prospects for long term sales. You can turn your contact center into something powerful that delights your customers rather than annoys.

5. You want to reduce operational costs.

Who doesn’t? ?

With the help of a cloud based predictive dialer, you can reduce the number of agents on staff and call lines without sacrificing any results. 

One more time for the folks in the back: these types of dialers make it possible for your call center to make more live calls than ever with less staff to make it happen.

Progressive vs. Predictive vs. Auto dialer

Progressive, predictive, and auto dialers initiate outbound calls from a contact list automatically and sequentially while also transferring calls to live agents.

These types of dialers don’t wait for the agent to let the system know that they’re ready for the next call. Instead, they optimize their dialing modes to minimize the gap between your agent hanging up with one lead and connecting with the next.

Let’s say that the software has deduced that most phone calls last an average of 60 seconds. Moreover, it takes roughly 10 seconds for the system to dial a new telephone number and hear “Hello” from the person on the other end. In a predictive dialing system, the software will initiate the next call at the ~50-second mark. Once the agent hangs up with lead 1, they’ll be prepped and ready to great lead 2, sparing no idle second in between – which means you get real-time communication.

Progressive dialers, on the other hand, initiate outbound calls for each available agent. To meet the demand for increased outbound calls, they’ll need to deploy additional agents. Similarly, an auto dialer distributes connected calls among available reps, whereas a dialer that is predictive dials multiple contacts simultaneously to increase the odds of establishing a connection. For example, If the software has learned that an average of 1 out of every 4 calls picks up, it might dial four numbers at once.

» Here’s our complete guide on Power Dialers, Predictive Dialers, and Progressive Dialers.

Predictive Dialer Pricing

Through our rigorous research and testing, we have found that the typical dialer cost ranges from $100 per user per month and up. Most software systems will build custom quotes for you, your business, and your business goals, so don’t be surprised when the specifics around dialer pricing are hard to come by. 

A customized price is an industry norm, but you can find tiered pricing options available at hosted dialers like Genesys, ChaseData, and dialerAI. A cheap dialer of this type can be uncovered with a little digging and comparing price plans.

CRM Integrations

You might think it is important to find a predictive dialer with a CRM, which can be a smart tactic to further arm your call agents with the right information they need to close a big sale. Luckily for you, most of these software systems can integrate seamlessly with popular CRMs like Salesforce.

The combination of a CRM + dialer means you’ll be able to quickly organize lead data, sales info, customer history, show the caller ID and create a superior customer engagement environment for them along the way.

Country-Specific regulations

Adhering to legal compliance can be a huge barrier to self-manage without the help of a cloud based predictive dialer. Just like call recording, there are specific legislations for automatic dialing as well.

In 1991, the Telephone Consumer Protection Act was passed, which prohibits the use of an automatic telephone dialing system to contact a telephone number without express prior consent, to hinder practices like telemarketing. This has continued to evolve into the National Do Not Call registry, also known as the DNC registry. You don’t want to dial numbers on this list—or those of parties who haven’t given you permission (dialing “accidents” aren’t an effective legal defense). With the right tool, you can easily adhere to these regulations without fear of penalties.

Here are few country-specific call center dialer regulations to be aware of:

• In the UK, Ofcom requires that predictive dialers abandon fewer than 3% of answered calls on a daily basis. 
• In the USA, the Federal Communications Commission (FCC) requires that these dialers abandon less than 3% of answered calls.
• In Canada, the Canadian Radio-television and Telecommunications Commission determined that the maximum abandon rate is 5%. 

CyburDial is a 100% Cloud Based Predictive Dialer

• Robust feature sets
• Network reliability
• Great customer support and service

Check out this read on how Asterisk servers are being compromised and exploited for monitization.

November 5, 2020

Research by: Ido Solomon, Ori Hamama and Omer Ventura, Network Research

Intro

Recently, Check Point Research encountered a series of worldwide attacks relevant to VoIP, specifically to Session initiation Protocol (SIP) servers. Based on information provided by our global sensors, there appears to be a systematic exploitation pattern of SIP servers from different manufactures. Further exploration revealed that this is part of a large, profitable business model run by hackers.

Hacking SIP servers and gaining control allows hackers to abuse them in several ways. One of the more complex and interesting ways is abusing the servers to make outgoing phone calls, which are also used to generate profits. Making calls is a legitimate feature, therefore it’s hard to detect when a server has been exploited.

During our research, we discovered a new campaign targeting Sangoma PBX (an open-source web GUI that manages Asterisk).  Asterisk is the world’s most popular VoIP PBX system, and it is used by many Fortune 500 companies for telecommunications. The attack exploits CVE-2019-19006, a critical vulnerability in Sangoma, granting the attacker admin access to the system.

During the first half of 2020, we observed numerous attack attempts on sensors worldwide. We exposed the attacker’s entire attack flow, from the initial exploitation of CVE-2019-19006 to uploading encoded PHP files that leverage the compromised system.

In this article, we first examine the infection vector used by the attacker, as well as the vulnerability exploited. We then investigate the threat actors behind the specific campaign. Lastly, we explain their modus operandi.

Figure 1: Inj3ct0r’s attack flow

Infection Vector

As mentioned in the Introduction, the campaign starts with scanning, continues with exploiting the vulnerability, and proceeds all the way to web shell installation. Gaining access to the systems allows the hackers to abuse the servers for their own purposes. CVE-2019-19006 is an Authentication Bypass vulnerability published in November 2019. Check Point Research was able to deduce the vulnerability by examining both the captured attack traffic and Sangoma’s GitHub repository for FreePBX Framework.

Figure 2: Relevant commits in the FreePBX GitHub repository.

In vulnerable versions of Sangoma FreePBX, the authentication function works by first setting a session for the supplied username, and removes the session setting if the supplied password does not match the one stored in the database. Additionally, FreePBX does not perform input sanity on the password parameter during the login process. By sending the password query parameter as an array element, attackers can cause the authentication function to fail before the session is unset, thereby retaining a legitimate session for the chosen username, admin included.

Figure 3: CVE-2019-19006 Proof of Concept.

Issuing the above request to a vulnerable FreePBX server allows the attackers to log in as the admin user. The value of ‘password’ does not matter, as the vulnerability depends on sending the parameter as an array element, ‘password[0]’.

Attack Flows

The attack begins with SIPVicious, a popular tool suite for auditing SIP-based VoIP systems. The attacker uses the svmap module to scan the internet for SIP systems running vulnerable FreePBX versions. Once found, the attacker exploits CVE-2019-19006, gaining admin access to the system.

Figure 4: The attacker exploits CVE-2019-19006.

After bypassing the authentication step, the attacker uses the asterisk-cli module to execute a command on the compromised system and uploads a basic PHP web shell encoded in base64.

Figure 5: The attacker uploads the initial web shell. The Referer header points to a previous web shell version that does not exist on the server

Figure 6: The attacker’s initial web shell.

At this point, the attack diverges into two separate flows.

First Flow

Figure 7: The first attack flow.

In the first flow, the initial web shell is used to retrieve the contents of Asterisk management files /etc/amportal.conf and /etc/asterisk/sip_additional.conf. These contain the credentials to the FreePBX system’s database and passwords for the various SIP extensions. This effectively gives the attackers access to the entire system and the ability to make calls out of every extension. Using the compromised Asterisk system, they then iterate over various prefixes for outgoing calls and try to call a specific phone number, possibly one of their own, in order to see which prefix they can use.

Figure 8: The attacker’s call routine

Next, the attackers use the web shell to download a base64-encoded PHP file from Pastebin. This file is padded with garbage comments—that when decoded, result in a password-protected web shell, which is also capable of retrieving the credentials to the Asterisk Internal Database and REST Interface. The attackers also attempt to remove any previous versions of their files.

Figure 9: Password protection in the web shell.

Second Flow

Figure 10: The second attack flow.

The second flow also uses the initial web shell to download a base64-encoded PHP file. Decoding this file results in another web shell that is not only password-protected, but also employs access-control in the form of source IP validation and returns a fake HTTP 403 Forbidden message to unauthorized users.

The attackers then use the new web shell to perform the following actions:

1. Download and save a PHP file as ‘/tmp/k’ which in turn drops ‘/var/www/html/admin/views/config.php’ to the disk. This is another base64-encoded PHP file, again padded with subordinate comments. When decoded, it is a password-protected web panel. This panel lets the attackers place calls using the compromised system with both FreePBX and Elastix support, as well as run arbitrary and hard-coded commands. Figure 12: The attacker’s web panel.
   The file also appends data to ‘/var/www/html/admin/views/.htaccess’ which allows access to config.php from other URIs, e.g. ’<server-url>/config’ instead of ’<server-url>/admin/views/config.php’Figure 13: Data appended to .htaccess.
2. Update FreePBX Framework, possibly to patch CVE-2019-19006.
3. Download a shell script from ‘https://45[.]143.220.116/emo1.sh’.
   The URL returns an HTTP 404 Not Found error, and so its purpose is currently unknown.
4. Create a new directory at ‘/var/www/html/freeppx’ and move all files used in the attacks there.

Threat Actor

Our global sensors helped us obtain unique strings during the exploitation of CVE-2019-19006. When we searched for some of these strings, such as “rr.php” and “yokyok” (first seen in Figures 5 and 6), we found a script posted online to Pastebin.

Figure 14: The first lines of the script uploaded by the user INJ3CTOR3. The exploit payload and the initial web shell match the attacks detected by our sensors.

The script contains the initial web shell upload and exploits the same vulnerability. Its uploader, “INJ3CTOR3”, has uploaded additional files in the past, including authentication logs and a brute-force script. In addition, we found this name appears in an old SIP Remote Code Execution vulnerability (CVE-2014-7235) in the public sources.

Perhaps purposely, the threat actor left a “calling card” using the name “inje3t0r3-seraj”, which appears to be a variation of the Pastebin script uploader’s name. The string was set as the value of the password parameter in the malicious request sent to the Asterisk servers. As mentioned above, the value of ‘password’ does not matter.

Figure 15: “Inj3ct0r3-Seraj” sent as part of the exploitation of CVE-2019-19006.

Through further investigation, the names eventually led to multiple private Facebook groups that deal with VoIP, and more specifically, SIP server exploitation. The “voip__sip__inje3t0r3_seraj” group is the most active one, sharing admins with different relevant groups, including an admin named “injctor-seraj-rean”.

Figure 16: Many admins are active in multiple groups.

The group shares a number of tools related to SIP server exploitation: scanners, authentication bypass, and remote code execution scripts. Among these scripts, we found a variant of the brute-force script seen in the Pastebin of INJ3CTOR3.

The group’s main purpose is to sell phone numbers, calls plans, and live access to VoIP services compromised as part of the Inj3ct0r attacks.

The Wide Phenomenon

Examining the content, users and different posts published in the previously mentioned Facebook groups expanded our research. The different leads collected in the social networks led us to the conclusion that SIP attacks are quite common, particularly in the Middle East. Closely examining the profiles of the admins, active users, and carriers seen in the different groups, we found that most of them were from Gaza, the West-Bank and Egypt.

We found several relevant players in the field who have published sales posts, tools and websites. Gathering more information about the groups they manage and relevant rooms and channels they own led us to additional discoveries.

The initial findings were tutorials for how to scan, gather information on relative servers, and use exploitation scripts. The instructions simplify the process to a level where anyone can do it. Perhaps as a result, there seems to be a large and growing community involved in hacking VoIP services.

Although this can explain the infection chain, there is still a question about motivation. A further analysis led not only to the surprise that the attacks on SIP servers occur on a larger scale than initially thought, but also that there is a profound underlying economic model:

Figure 17: The modus operandi of the SIP hackers.

The flow chain above explains the operation model in generalized terms. However, this does not mean that all the attackers use the same tools and vulnerabilities. For instance, not all stages must be performed for an attacker to gain control of a compromised SIP server.

Relevant IP Ranges

The very beginning of the process is when a hacker creates a list of relevant IPs per country that are currently “up.” This not only narrows the scope of the scans performed in a later stage, but also helps hone in on the different countries in which the hacker is interested.

Figure 18: Hackers generate lists of relevant IPs per country.

This step can usually be omitted by using smarter scanning techniques or knowledge sharing between different groups.

Scans and targets list

After the initial lists are created, the scanning stage begins. Various relevant scanners are available for this task, with the most common one being “SIPvicious.” The hackers obtain information relevant to the scanned devices, such as versions, that will be used in later stages. During further analysis of the different conversations, we observed the exchange of such IPs lists and scanning scripts in different forums that discuss SIP hacking.

Attempting to compromise SIP servers and gaining control

Based on information gathered in previous stages, hackers try to exploit relevant vulnerabilities to gain control of the servers. In case of missing information, or unsuccessfully bypassing system protections, the hackers may resort to brute force.

Additional vulnerabilities relevant to VoIP, besides the one used in the INJ3CTOR3 campaign (CVE-2019-19006), were found referenced in different conversations. Moreover, members share knowledge of usernames and passwords lists, with relevant tools for hacking the systems.

If hackers successfully gain control of the system – by exploiting vulnerabilities, brute forcing the way in or using given information – the next goal is gaining persistence on the system. This can be achieved by uploading web shells to continue communicating with the system. In the INJ3CTOR3 campaign, we saw a few web shells used in several different steps, for different functionalities.

Using the servers for profit

Finally, after gaining a foothold on the exploited servers, the attacker can then make calls to any desired numbers. A possible common usage is using the exploited servers to make calls to International Premium Rate Numbers (IPRN).

When an IPRN is called, the caller is paying the owner of the IPRN per minute, the amount of which depends on the caller’s origin country. There are companies that provide a range of IPRN numbers in different plans.

Figure 21: An example of the rates table taken from a demo service. This includes the prices, the relevant country and a relevant test numbers.

With enough traffic, this model can provide sufficient profit to cover the IPRN costs. For that reason, IPRN services are often used in businesses that put callers on hold, or have many clients (i.e. premium content calls). The longer the clients stay on the line, the more money the company owning the IPRN receives.

Figure 22: A premium number demo-dashboard. Statistics, earnings and information per each of the numbers are seen in the interface.

For these reasons, hackers seem to be focused on IPRN programs. Using IPRN programs not only allows the hacker to make calls but also abuse the SIP servers to generate profits. The more servers exploited, the more calls to the IPRN can be made.

In other words, hackers are considered to be a relevant market to buy IPRN plans. Thus, many posts on IPRN sales can be seen on these forums and pages. We encountered many such posts by several different IPRN providers:

Figure 23: Two of many posts that sell IPRN in different

Attack Impact

As mentioned previously, the attackers’ end goal is to sell outgoing calls from the compromised systems, as well as access to the systems themselves.

Unrestricted access to a company’s telephone system can allow the attackers and their customers to make calls using the compromised company’s resources and eavesdrop on legitimate calls. They can also use the compromised systems for further attacks, such as using the system resources for cryptomining, spreading laterally across the company network, or launching attacks on outside targets while masquerading as the compromised company.

Conclusion

The campaign at hand utilizes an easily exploitable vulnerability to compromise Asterisk SIP servers around the world. In-depth details regarding the vulnerability were never publicly released, yet the threat actors behind the attack managed to weaponize and abuse it for their own gain. As our research shows, the threat actors, who are located in the Palestinian Gaza Strip, share and sell their scripts. This is a phenomenon of an established operation that sets the attacks, finds the targets, and initiates the traffic to premium rate service numbers in order to inflate traffic and gain revenue. It’s not too far-fetched to assume that different attackers might use those scripts to launch their own attacks against Asterisk servers in the future.

This attack on Asterisk servers is also unusual in that the threat actors’ goal is not only to sell access to compromised systems, but also use the systems’ infrastructure to generate profits.  The concept of IPRN allows a direct link between making phone calls and making money. This means that further attacks can be launched from these systems.

Protections

Check Point customers are protected by these IPS protections:

• SIPVicious Security Scanner
• Sangoma FreePBX Authentication Bypass (CVE-2019-19006)
• Command Injection Over HTTP
• Command Injection Over HTTP Payload

IOCs

Files:

• ecc5a8b0192995673bb2c471074a3326bbeba431e189654c90afaddf570fb514
• 8068cf1011f8668f741e2ec61676fa9ce6a23e62ee5b3bdf014540cff06b1ebe
• d8ab22ceab199512aaada36af245d6621208d887ae0b6510fa198d6075777043
• c3b805ffe6c988db4c8843625ab2f40cb5196935e727db658b68408b7965de59
• 7c6cf2e4badbc3d4d29f4e6ed118a77d5f6e0f819244ad25b760329f25f20dd1
• f1060a686155fbbe7274073c557c24648cdf30a3f3ef2cbb184ccfc41d99fd3b

Hosts:

• 5[.]133.27.47
• 37[.]61.220.243
• 40[.]85.249.243
• 45[.]143.220.115
• 45[.]143.220.116
• 46[.]161.55.107
• 62[.]112.8.162
• 77[.]247.110.91
• 80[.]68.56.82
• 84[.]111.36.159
• 92[.]42.107.139
• 134[.]119.213.127
• 134[.]119.213.195
• 134[.]119.214.141
• 134[.]119.218.49
• 151[.]106.13.150
• 151[.]106.13.154
• 151[.]106.13.158
• 151[.]106.17.146
• 156[.]95.156.75
• 156[.]96.59.63
• 185[.]53.88.198
• 185[.]132.248.54
• 212[.]83.189.43

References

• https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass
• https://github.com/FreePBX/framework/commit/4e4675d9a8c0cb5ff8891aa1b51889a8b845502f
• https://packetstormsecurity.com/files/author/12734/

https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/?fbclid=IwAR3vkTNOF1lu87Jyd7TGKFrCEFiB7yKzIrBnHvax4wtV-pGVBaReQpHU0AI