How to – Set proper Answering Machine Detection settings for Vicibox9/10

Settings Container

How to – Set proper Answering Machine Detection settings for Vicibox v9/10/11

Working settings for AMD on Vicibox v9, 10 or 11 or any scratch install

Everyone seems to not like the AMD settings for Vicibox9, but the problem is, they are used to a simpler format from earlier versions that don’t have the functionality of the newer SVN versions. Below are the settings that I use that seem to work.

Campaign Detail Settings

Change the WaitForSilence to 2000,2,30 and AMD Agent Route to enabled and AMD Type to AMD

Change AMD Type to AMD, AMD Agent Route options to Enabled and WaitForSilence

Containing Settings

Go to Admin > Settings Container >

Click on the AMD_AGENT_OPT_Campaign you want to change

Add the lines to your container as shown

Hopefully this helps a lot of you that have been experiencing this problem.

How to – Use Vicidial API’s

API User

This is going to be an ongoing project to explore each api function and how to use it over a period of time. First I will start with the basics. Lets create an API User

How to – Use Vicidial API’s

Added: 12-29-20

Creating an API User

Login to the Administration Page, click Users > Add A New User

Fill in the fields as shown above with your own information(user number)

Hit Submit

Scroll down to the bottom of that user and change the API settings according to your needs

I use the List restrict but you don’t have to

After you hit submit here, you have now created the API user for whichever API process you are going to be using.


Non Agent API Functions & examples

Added: 12-29-20

Function: add_lead

Requirements: user level: 8 / Modify Leads = 1

Required Settings: phone_number, phone_code, list_id, source

Objective: Live Leads

Below is an example of what link to send your lead to

https://yourdomain.com/vicidial/non_agent_api.php?user=apiuserid&pass=apipass&source=SourceName&list_id=33333&function=add_lead&first_name=john&last_name=legend&phone_number=3057777777

This can then be used for a form to supply live leads. Below is an example I have created in WordPress.

This is inputted in a plugin called XYZ PHP Code

Then this code below is on a regular wordpress page

And then the end result looks like this:

This is just a simple form to submit data into vicidial and have them instantly added into the queue to be dialed if you have that list active and agents ready to take the call. If you have any questions about this, hit me up on Skype: live:carpenox_3


AD: Buy now for only $500

Added: 01-08-21

Function: call_dispo_report

Requirements: user level = 9 / View Reports = 1

Required Fields(At least 1): campaigns, ingroups, or dids

Options settings: http://www.vicidial.org/docs/NON-AGENT_API.txt

Objective: Give reports for live transfers to show sales and transfers from a date range

This function is pretty easy to implement and is being used to give access to company that is being paid for live transfers and would like a report with live stats updates instead of having to run a report through vicidial

https://cyburityllc.com/vicidial/non_agent_api.php?source=LiveTransfers&user=apiuserid&pass=apipass&function=call_dispo_report&statuses=SALE-XFER&ingroups=LiveTransfers&query_date=2020-01-01&end_date=2021-01-08&status_breakdown=1&show_percentages=1

Once someone calls this API function, it reports back like this:

This can then be used “as is” or it can be brought into a CRM or live reports screen for the business sending over the live transfers.


Added: 02-04-2021

Function: campaigns_list

Requirements: user level = 7

Required Field: source

Options settings: http://www.vicidial.org/docs/NON-AGENT_API.txt

Objective: To show settings for campaigns

Here is an example structure: https://cyburityllc.com/vicidial/non_agent_api.php?source=test&user=apiuserid&pass=apipass&function=campaigns_list

And below is an example output:

TopCare|Top Care – Main|Y|TopCare|RATIO|9|DOWN TIMEZONE|CALLBK SALE NP NI N DNC DC B A NEW

This will only output the campaigns for the permission levels of the APi user’s, user group.

Hopefully this helps. Required version number for this API: 2.14


Which API function would you like to see how to use? Examples can be provided for both agent and non agent API’s. Comment below for a request.

What is VoIP and How Does it Work? (Explained)

VoIP

We are often asked by beginners: what is VoIP and how does VoIP work? If you are a non-techy user, then you may have heard that you could use VoIP to add a business phone number for your website.

VoIP is a more cost-effective way to get a business phone number for your website when compared to a traditional phone line. However before making any decision, you need to fully understand what the technology is all about.

In this beginner’s guide, we will answer what is VoIP, and how does VoIP work behind the scenes. The goal is to help you understand how VoIP can save you money and help you grow your business.

What is VoIP and How it Works (Behind the Scenes)

Here is an overview of what we’re going to cover in this guide.

  • What is VoIP?
  • How does VoIP work? (Behind the scenes)
  • What are the advantages and disadvantages of VoIP?
  • Which is the best VoIP phone service?
  • How to make a call using VoIP?
  • Frequently asked questions about VoIP (FAQs)

What is VoIP?

VoIP (Voice Over Internet Protocol) is a phone technology that allows you to make and receive phone calls using the internet instead of traditional phone lines.

Unlike landline phone systems that are limited to a single desk phone in your office, VoIP lets you make and receive business phone calls from your laptop, tablet, regular smart phone (using an App), and even VoIP compatible office phone sets.

Since all calls are made over the internet, it’s extremely cost-efficient for both domestic and long distance (international) calls. Most business VoIP providers offer unlimited minutes without any extra cost.

Aside from the cost savings, you also get all the advanced phone features like call waiting, call routing, caller tones, auto-attendant, multiple phone numbers, and more.

This is why most small businesses and even enterprise companies are all switching away from traditional phone providers to a business VoIP provider.

How VoIP Actually Works? (Behind the Scenes Look)

To understand how VoIP actually works, we will take a look at what happens when you make or receive a phone call on VoIP phone.

How VoIP works Behind the Scenes

When you make a phone call using VoIP, their business phone number app or VoIP adapter takes the analog audio signal and turn it into digital signal.

This digital voice data is then sent to the business phone service provider using your internet, and then finally the message is routed to your customer’s phone.

This process happens nearly instantly which is why sometimes VoIP sound quality is even better than regular phone calls.

How is VoIP different than Traditional Phone System?

VoIP works differently behind the scenes from a regular landline phone system.

Traditional telephony systems use the circuit switching method for connecting calls. When you make a call through the Public Switched Telephone Network (PSTN), you’re connected to the person on the other end, and they’re connected to you in a circuit.

The ‘Circuit switching’ technology is used for more than a 100 years now. It is reliable and still works, but is not the most efficient or cost-effective.

VoIP uses the ‘packet switching’ method instead. This means that data is only sent when needed. A brief, instant connection is created each time you speak. The connection doesn’t need to go both ways all the time. You and the person you’re talking to will not normally be both speaking at the same time.

Plus, packets of data are sent efficiently. They can use many different paths through the internet. The packages are then put back together when they reach their destination.

The data packets can also be compressed to save space. This lets them travel even more quickly through the internet.

All of this happens very fast. Unless there’s a problem with your internet connection, you will not notice any delay during the call.

Two women talking on the phone

While VoIP may sound quite technical and complicated, the main thing to understand is that VoIP is a more efficient method of transferring data during phone calls.

You probably have already used VoIP before without knowing it, through an app like Skype or Google Voice.

VoIP Pros and Cons Compared

Since we’ve been using a VoIP business phone service in our company for decades, it’s fair to say that we know a thing or two about the pros and cons.

Here’s our detailed analysis of the pros and cons of VoIP.

VoIP Advantages – Benefits of Using VoIP

Switching from a traditional telephone company’s service to a cloud based VoIP phone system has many benefits.

Lower Monthly Cost

One of the biggest advantage of VoIP is that you have lower monthly cost on both domestic and international calls.

Most VoIP phone providers will often include unlimited domestic calls for free. International calls are normally very cheap, too.

Aside from that, you’ll also save money on repair and maintenance service expenses that you currently pay your landline phone provider.

Take calls from anywhere – Completely Portable

With VoIP, you don’t need to be in an office, on-premise, sitting by your desk phone to take phone calls. You can take incoming calls from wherever you are using an app on your phone, tablet, or laptop computer.

This is a big advantage for teams that are working remotely or out on the field. It is also great if you’re traveling.

Advanced business phone features

VoIP solutions normally include lots of extra business phone features. For instance, you can set up conference calls easily with VoIP.

Plus, most VoIP service providers offer a virtual receptionist, hold music, call waiting, voicemail to email or text, and much more. You can even get advanced telecommunications functionality like video conferencing.

This may also get you additional cost savings because often traditional telephone service providers charge recurring fees for these add-ons.

Improved Scalability and Flexibility

Another advantage of VoIP is higher scalability. Whether you’re hiring more staff or opening a new branch office in a new city, VoIP makes it easy to grow.

Unlike a traditional phone service that would require to spend money on expensive hardware on dedicated line, VoIP lets you add your team members with just a few clicks inside your account dashboard.

Since VoIP works on all smart phones, you can even cut additional equipment cost and free up desk space by having your team members install the app on their personal phone.

VoIP Disadvantages – Drawbacks of Using VoIP

While VoIP is an amazing technology, it may not be perfect for everyone. There are a couple of VoIP disadvantages that you should be aware of.

You need a good internet connection to make telephone calls

As we explained in the how VoIP works section, you need to have an internet connection to make phone calls.

If your internet is slow, then your call quality may be impacted.

The good thing is that VoIP technology doesn’t use as much bandwidth as you might think. A good connection with less than 70ms ping and at least 500 kbps of upload speed is good enough for VoIP calls.

However if you have a lot of team members in your office, then you may need to look at your bandwidth needs for the number of concurrent calls your business will be making at the same time.

You need to account for power outages

Regular phone service works during power outages. But you cannot make VoIP calls if you don’t have power or access to the internet.

Typically, most offices have wireless internet powered by WiFi routers. These routers need electricity, so if your building experiences power outage, then your internet can also go down which will impact your VoIP service.

The way we mitigate this in our office is by using a battery backup system for our internet router. Since our internet is provided by a different company than our electricity, we never have both outages at the same time.

Furthermore, since our team members use the VoIP app on their phone, they can always use their mobile data to make business phone calls.

You will need to retrain your staff on the new system

Switching to a new telephone system means you need to train your staff on how to use it.

Luckily, most VoIP services are designed to be as straightforward and intuitive as possible. This means it should be easy to train team members on how to use the cloud phone systems, even if your employees are working remotely.

Which is the Best VoIP Phone Service?

Here at Cyburity, we use and recommend CyburDial as the best VoIP phone service. They offer a free local number with all of their plans.

CyburDial
CyburDial Agent Interface

CyburDial comes with all the essential features you need including call routing, unlimited domestic voice calls, unlimited business SMS messaging, voicemail to email/text, number porting, caller ID, caller forwarding, custom greetings, auto attendant, hold music, online VoIP fax, phone extension for team members, and more.

They have an easy to use smart phone app for Android / iPhone (iOS), and a softphone app for your computer.

For Enterprise customers, then even let you convert your existing PBX (private branch exchange) system into a cloud phone system using SIP (session initiation protocol) trunking. This means you can easily transfer calls to different department and employees using your existing system and local area network.

Nextiva also has several useful advanced features. For instance, you can connect your VoIP phone system with real-time live chat and with your CRM system to help you create a unified communications system.

Plus, their support team is extremely helpful, making it really easy for you to get started. This is why we use Nextiva for our business.

Other great VoIP alternatives to CyburDial include:

  • RingCentral – a big, well-known VoIP company that costs a little more than Nextiva. They have all the features you need, and they offer screen sharing and conferencing tools too.
  • Ooma – an easy-to-setup option that offers toll-free numbers plus all the features you’d expect. You get 500 minutes included for free, but need to pay extra for more.
  • Grasshopper – another great business phone service for solpreneurs and small businesses that offers all the essential features.
  • Phone.com – a good IP telephone for businesses working with Canada and many EU countries, as these locations are covered as local calls.

How to Make a Call Using VoIP

To make a call using VoIP, you first need a VoIP business phone service like CyburDial. You also need an internet connection with good bandwidth. This normally means using a broadband internet connection.

Then, you can make a call using VoIP with any of the following devices:

  • Your existing phone handset. This can be connected to the VoIP system using an ATA (analog telephone adapter) which gives it an IP address. Essentially, you just plug your phone into the ATA instead of straight into your wall socket.
  • A special IP phone. This looks and works like a normal phone. It has a handset with buttons that slots into a charging cradle. However, instead of the a RJ-11 phone connector, the IP phone has an RJ-45 connector. This means it plugs into an ethernet port on your router, not into a phone connector. Depending on the season, some VoIP companies may give you a free phone handset.
  • Your computer. You will need an app that lets you make calls over VoIP. This is sometimes called a ‘softphone’. Of course, you will also need a sound card plus a headset, or a microphone and speakers. You will also need internet connectivity, either by ethernet or wifi. Most well-known VoIP companies have apps for both Windows and Mac.
  • Your mobile phone. Again, you will need the right app and a wifi connection. You can also use a mobile data plan with 4G or higher speeds. Most VoIP apps will work on all smart phone such as Android mobile devices and Apple iPhone (iOS).

Frequently Asked Questions about VoIP Phone (VoIP FAQs)

There are lots of different business VoIP providers, and it can be hard to know which one is the best for your needs.

Over the years we have helped thousands of beginners choose the best VoIP phone platform. We have heard almost every possible question about VoIP that you can think of.

Following are the answers to some of the most commonly asked questions about VoIP (Voice over IP).

How much do domestic vs international calls cost on VoIP?

Most VoIP services will include unlimited domestic calls for no extra charge. However, some cheaper VoIP services charge based on the number of minutes you use.

The international rates will vary depending on the VoIP provider you use, but these rates will almost always be more affordable than traditional landline rates for international calls.

Can you keep your existing phone number on VoIP?

Yes, when switching from traditional landline phone to business VoIP phone, you can ask for number porting which lets you keep your existing business phone number.

Most good VoIP services let you do this, but please check with them before signing up.

Is there a VoIP backup if your internet connection goes down?

Some VoIP services have a backup in case your broadband connection is down or your power goes out. For instance, Cyburdial can automatically forward calls to a cell phone.

Does VoIP offer call routing or extensions for team members?

Yes, most good VoIP phone service providers include call routing, phone extensions, call queue, and auto attendant at no additional cost.

How to set timed actions during a call in your campaign

How to – Set timer action in Vicidial for your campaign

This will show you how to drop a call to a call menu or other options after a certain amount of time

How to set timer action in Vicidial: Go into detail view of the campaign and scroll down to “Timer Action” and choose the option you want to use

Timer Actions

To send the call to a call menu go into the “Inbound” menu and click on “Add A New Call Menu”

Inbound Menu

Name the call menu accordingly


In this example below, the “Menu Prompt” is set to a recording the caller will hear once they are sent to this call menu

timer action vicidial

and call menus can get more intense with different options as you will see below

set timer action vicidial

If you have any other questions on this feature, make sure to use our live support in your client portal section or by following this link: https://join.skype.com/ujkQ7i5lV78O

How to – record calls in Vicidial

How to – record calls in Vicidial

This will show you how to record calls in Vicidial

Login to the Admin section of the dialer and click on “Campaigns”

Admin screen upon entering your password

Go into the detail view of the campaign and scroll down to “Campaign Recording and choose which option you would like from the choices available and then hit submit down at the bottom

record calls in Vicidial

Domains For Sale

The following domains are for sale at best offer:

If you would like to put an offer towards one of these domains, feel free to comment here, email us at info@cyburityllc.com or give us a call.

What is a Predictive Dialer?

CyburDial

There are four words that every business owner loves to hear: Save time and money. It’s not only music to their ears, but money in their pockets. That’s why so many business leaders are adding a cloud based predictive dialer to their marketing, sales, and customer management suites.

Increased call agent efficiency, real-time interactions, better customer experience, and improved lead management are just a few of the ways businesses are enjoying the benefits of their outbound dialer.

Make an informed decision about predictive dialing and the future of your enterprise. Keep reading to learn everything you need to know about these types of dialers.

What is a predictive dialer?

A predictive dialer is a software that dials a list of phone numbers quickly and accurately and can also return calls to your call center agents. It is a software designed to accurately predict agent availability, screen out busy signals, answering machines, and disconnected phones, and optimize the outbound call pace to connect sales representatives with leads fast. Think of it as IVR for outbound calling.manual vs. predictive dialer

Sometimes called an “outbound dialer” or a “hosted dialer,” these systems use machine-learning algorithms so you can spend less time between conversations for your agents, as well as wait times for your customers when no agent is available. In the background, the software analyses answered calls, dropped calls, the number of active agents, and more, filtering out unproductive calls so your agents get more talk time.

While you can purchase physical on-premise hardware to accomplish these tasks, most modern companies use cloud hosted dialers instead, often integrating their software with their overall contact center platforms.

This software is a workhorse for your call center and sales strategy alike.

Why invest in a cloud based predictive dialer?

With so many business solutions being tossed at you daily, it can be hard to navigate and understand what will actually benefit your bottom line and provide a decent ROI. We think a dialer of this type can be a smart choice for any business currently using or considering adding a call center. 

1. You’re busy.

Managing your sales team, maximizing profits, delighting customers. Your plate is full. Unless you have a bunch of time to waste on hacking systems to maximize your call center agent’s task lists, you’re going to spend a lot of unnecessary energy training your staff to do mediocre rather than great work.

2. You want your sales team to be more efficient.

By automating the process of calling customers, your agents are no longer wasting their time dialing numbers. This increased efficiency means more output from your agents per hour, exponentially improving agents’ productivity by reducing their idle time and accelerating sales (your agents will spend more time connecting with potential customers than re-dialing dropped calls).

3. You want to manage your leads in a smart way.

You can integrate a cloud predictive dialer across different platforms such as phone, email, chat, mobile, social and more. This gives you better, smarter lead management. An outbound dialer can be core to unifying your messaging and communications across multiple channels.

4. You strive to provide exemplary customer service.

Cloud based dialers boast specific features that allow you to contact your leads at times that are convenient to them. Perhaps in the morning at home, over the weekend via an SMS / text message, or during the day at their office number. Or maybe, they just want to leave you a voicemail.

Stronger customer service = better brand affinity = more prospects for long term sales. You can turn your contact center into something powerful that delights your customers rather than annoys.

5. You want to reduce operational costs.

Who doesn’t? ?

With the help of a cloud based predictive dialer, you can reduce the number of agents on staff and call lines without sacrificing any results. 

One more time for the folks in the back: these types of dialers make it possible for your call center to make more live calls than ever with less staff to make it happen.

Progressive vs. Predictive vs. Auto dialer

Progressive, predictive, and auto dialers initiate outbound calls from a contact list automatically and sequentially while also transferring calls to live agents.

These types of dialers don’t wait for the agent to let the system know that they’re ready for the next call. Instead, they optimize their dialing modes to minimize the gap between your agent hanging up with one lead and connecting with the next.

Let’s say that the software has deduced that most phone calls last an average of 60 seconds. Moreover, it takes roughly 10 seconds for the system to dial a new telephone number and hear “Hello” from the person on the other end. In a predictive dialing system, the software will initiate the next call at the ~50-second mark. Once the agent hangs up with lead 1, they’ll be prepped and ready to great lead 2, sparing no idle second in between – which means you get real-time communication.

Progressive dialers, on the other hand, initiate outbound calls for each available agent. To meet the demand for increased outbound calls, they’ll need to deploy additional agents. Similarly, an auto dialer distributes connected calls among available reps, whereas a dialer that is predictive dials multiple contacts simultaneously to increase the odds of establishing a connection. For example, If the software has learned that an average of 1 out of every 4 calls picks up, it might dial four numbers at once.

» Here’s our complete guide on Power Dialers, Predictive Dialers, and Progressive Dialers.

Predictive Dialer Pricing

Through our rigorous research and testing, we have found that the typical dialer cost ranges from $100 per user per month and up. Most software systems will build custom quotes for you, your business, and your business goals, so don’t be surprised when the specifics around dialer pricing are hard to come by. 

A customized price is an industry norm, but you can find tiered pricing options available at hosted dialers like Genesys, ChaseData, and dialerAI. A cheap dialer of this type can be uncovered with a little digging and comparing price plans.

CRM Integrations

You might think it is important to find a predictive dialer with a CRM, which can be a smart tactic to further arm your call agents with the right information they need to close a big sale. Luckily for you, most of these software systems can integrate seamlessly with popular CRMs like Salesforce.

The combination of a CRM + dialer means you’ll be able to quickly organize lead data, sales info, customer history, show the caller ID and create a superior customer engagement environment for them along the way.

Country-Specific regulations

Adhering to legal compliance can be a huge barrier to self-manage without the help of a cloud based predictive dialer. Just like call recording, there are specific legislations for automatic dialing as well.

In 1991, the Telephone Consumer Protection Act was passed, which prohibits the use of an automatic telephone dialing system to contact a telephone number without express prior consent, to hinder practices like telemarketing. This has continued to evolve into the National Do Not Call registry, also known as the DNC registry. You don’t want to dial numbers on this list—or those of parties who haven’t given you permission (dialing “accidents” aren’t an effective legal defense). With the right tool, you can easily adhere to these regulations without fear of penalties.

Here are few country-specific call center dialer regulations to be aware of:

CyburDial is a 100% Cloud Based Predictive Dialer

  • Robust feature sets
  • Network reliability
  • Great customer support and service

INJ3CTOR3 Operation – Leveraging Asterisk Servers for Monetization

Check out this read on how Asterisk servers are being compromised and exploited for monitization.

November 5, 2020

Research by: Ido Solomon, Ori Hamama and Omer Ventura, Network Research

Intro

Recently, Check Point Research encountered a series of worldwide attacks relevant to VoIP, specifically to Session initiation Protocol (SIP) servers. Based on information provided by our global sensors, there appears to be a systematic exploitation pattern of SIP servers from different manufactures. Further exploration revealed that this is part of a large, profitable business model run by hackers.

Hacking SIP servers and gaining control allows hackers to abuse them in several ways. One of the more complex and interesting ways is abusing the servers to make outgoing phone calls, which are also used to generate profits. Making calls is a legitimate feature, therefore it’s hard to detect when a server has been exploited.

During our research, we discovered a new campaign targeting Sangoma PBX (an open-source web GUI that manages Asterisk).  Asterisk is the world’s most popular VoIP PBX system, and it is used by many Fortune 500 companies for telecommunications. The attack exploits CVE-2019-19006, a critical vulnerability in Sangoma, granting the attacker admin access to the system.

During the first half of 2020, we observed numerous attack attempts on sensors worldwide. We exposed the attacker’s entire attack flow, from the initial exploitation of CVE-2019-19006 to uploading encoded PHP files that leverage the compromised system.

In this article, we first examine the infection vector used by the attacker, as well as the vulnerability exploited. We then investigate the threat actors behind the specific campaign. Lastly, we explain their modus operandi.

Figure 1: Inj3ct0r’s attack flow.

Figure 1: Inj3ct0r’s attack flow

Infection Vector

As mentioned in the Introduction, the campaign starts with scanning, continues with exploiting the vulnerability, and proceeds all the way to web shell installation. Gaining access to the systems allows the hackers to abuse the servers for their own purposes. CVE-2019-19006 is an Authentication Bypass vulnerability published in November 2019. Check Point Research was able to deduce the vulnerability by examining both the captured attack traffic and Sangoma’s GitHub repository for FreePBX Framework.

Relevant commits in the FreePBX GitHub repository

Figure 2: Relevant commits in the FreePBX GitHub repository.

In vulnerable versions of Sangoma FreePBX, the authentication function works by first setting a session for the supplied username, and removes the session setting if the supplied password does not match the one stored in the database. Additionally, FreePBX does not perform input sanity on the password parameter during the login process. By sending the password query parameter as an array element, attackers can cause the authentication function to fail before the session is unset, thereby retaining a legitimate session for the chosen username, admin included.

CVE-2019-19006 Proof of Concept.

Figure 3: CVE-2019-19006 Proof of Concept.

Issuing the above request to a vulnerable FreePBX server allows the attackers to log in as the admin user. The value of ‘password’ does not matter, as the vulnerability depends on sending the parameter as an array element, ‘password[0]’.

Attack Flows

The attack begins with SIPVicious, a popular tool suite for auditing SIP-based VoIP systems. The attacker uses the svmap module to scan the internet for SIP systems running vulnerable FreePBX versions. Once found, the attacker exploits CVE-2019-19006, gaining admin access to the system.

Figure 4: The attacker exploits CVE-2019-19006.

After bypassing the authentication step, the attacker uses the asterisk-cli module to execute a command on the compromised system and uploads a basic PHP web shell encoded in base64.

Figure 5: The attacker uploads the initial web shell. The Referer header points to a previous web shell version that does not exist on the server

Figure 6: The attacker’s initial web shell.

At this point, the attack diverges into two separate flows.

First Flow

Figure 7: The first attack flow.

In the first flow, the initial web shell is used to retrieve the contents of Asterisk management files /etc/amportal.conf and /etc/asterisk/sip_additional.conf. These contain the credentials to the FreePBX system’s database and passwords for the various SIP extensions. This effectively gives the attackers access to the entire system and the ability to make calls out of every extension. Using the compromised Asterisk system, they then iterate over various prefixes for outgoing calls and try to call a specific phone number, possibly one of their own, in order to see which prefix they can use.

Figure 8: The attacker’s call routine

Next, the attackers use the web shell to download a base64-encoded PHP file from Pastebin. This file is padded with garbage comments—that when decoded, result in a password-protected web shell, which is also capable of retrieving the credentials to the Asterisk Internal Database and REST Interface. The attackers also attempt to remove any previous versions of their files.

Figure 9: Password protection in the web shell.

Second Flow

Figure 10: The second attack flow.

The second flow also uses the initial web shell to download a base64-encoded PHP file. Decoding this file results in another web shell that is not only password-protected, but also employs access-control in the form of source IP validation and returns a fake HTTP 403 Forbidden message to unauthorized users.

The attackers then use the new web shell to perform the following actions:

  1. Download and save a PHP file as ‘/tmp/k’ which in turn drops ‘/var/www/html/admin/views/config.php’ to the disk. This is another base64-encoded PHP file, again padded with subordinate comments. When decoded, it is a password-protected web panel. This panel lets the attackers place calls using the compromised system with both FreePBX and Elastix support, as well as run arbitrary and hard-coded commands. Figure 12: The attacker’s web panel.
    The file also appends data to ‘/var/www/html/admin/views/.htaccess’ which allows access to config.php from other URIs, e.g. ’<server-url>/config’ instead of ’<server-url>/admin/views/config.php’Figure 13: Data appended to .htaccess.
  2. Update FreePBX Framework, possibly to patch CVE-2019-19006.
  3. Download a shell script from ‘https://45[.]143.220.116/emo1.sh’.
    The URL returns an HTTP 404 Not Found error, and so its purpose is currently unknown.
  4. Create a new directory at ‘/var/www/html/freeppx’ and move all files used in the attacks there.

Threat Actor

Our global sensors helped us obtain unique strings during the exploitation of CVE-2019-19006. When we searched for some of these strings, such as “rr.php” and “yokyok” (first seen in Figures 5 and 6), we found a script posted online to Pastebin.

Figure 14: The first lines of the script uploaded by the user INJ3CTOR3. The exploit payload and the initial web shell match the attacks detected by our sensors.

The script contains the initial web shell upload and exploits the same vulnerability. Its uploader, “INJ3CTOR3”, has uploaded additional files in the past, including authentication logs and a brute-force script. In addition, we found this name appears in an old SIP Remote Code Execution vulnerability (CVE-2014-7235) in the public sources.

Perhaps purposely, the threat actor left a “calling card” using the name “inje3t0r3-seraj”, which appears to be a variation of the Pastebin script uploader’s name. The string was set as the value of the password parameter in the malicious request sent to the Asterisk servers. As mentioned above, the value of ‘password’ does not matter.

Figure 15: “Inj3ct0r3-Seraj” sent as part of the exploitation of CVE-2019-19006.

Through further investigation, the names eventually led to multiple private Facebook groups that deal with VoIP, and more specifically, SIP server exploitation. The “voip__sip__inje3t0r3_seraj” group is the most active one, sharing admins with different relevant groups, including an admin named “injctor-seraj-rean”.

Figure 16: Many admins are active in multiple groups.

The group shares a number of tools related to SIP server exploitation: scanners, authentication bypass, and remote code execution scripts. Among these scripts, we found a variant of the brute-force script seen in the Pastebin of INJ3CTOR3.

The group’s main purpose is to sell phone numbers, calls plans, and live access to VoIP services compromised as part of the Inj3ct0r attacks.

The Wide Phenomenon

Examining the content, users and different posts published in the previously mentioned Facebook groups expanded our research. The different leads collected in the social networks led us to the conclusion that SIP attacks are quite common, particularly in the Middle East. Closely examining the profiles of the admins, active users, and carriers seen in the different groups, we found that most of them were from Gaza, the West-Bank and Egypt.

We found several relevant players in the field who have published sales posts, tools and websites. Gathering more information about the groups they manage and relevant rooms and channels they own led us to additional discoveries.

The initial findings were tutorials for how to scan, gather information on relative servers, and use exploitation scripts. The instructions simplify the process to a level where anyone can do it. Perhaps as a result, there seems to be a large and growing community involved in hacking VoIP services.

Although this can explain the infection chain, there is still a question about motivation. A further analysis led not only to the surprise that the attacks on SIP servers occur on a larger scale than initially thought, but also that there is a profound underlying economic model:

Figure 17: The modus operandi of the SIP hackers.

The flow chain above explains the operation model in generalized terms. However, this does not mean that all the attackers use the same tools and vulnerabilities. For instance, not all stages must be performed for an attacker to gain control of a compromised SIP server.

Relevant IP Ranges

The very beginning of the process is when a hacker creates a list of relevant IPs per country that are currently “up.” This not only narrows the scope of the scans performed in a later stage, but also helps hone in on the different countries in which the hacker is interested.

Figure 18: Hackers generate lists of relevant IPs per country.

This step can usually be omitted by using smarter scanning techniques or knowledge sharing between different groups.

Scans and targets list

After the initial lists are created, the scanning stage begins. Various relevant scanners are available for this task, with the most common one being “SIPvicious.” The hackers obtain information relevant to the scanned devices, such as versions, that will be used in later stages. During further analysis of the different conversations, we observed the exchange of such IPs lists and scanning scripts in different forums that discuss SIP hacking.

Attempting to compromise SIP servers and gaining control

Based on information gathered in previous stages, hackers try to exploit relevant vulnerabilities to gain control of the servers. In case of missing information, or unsuccessfully bypassing system protections, the hackers may resort to brute force.

Additional vulnerabilities relevant to VoIP, besides the one used in the INJ3CTOR3 campaign (CVE-2019-19006), were found referenced in different conversations. Moreover, members share knowledge of usernames and passwords lists, with relevant tools for hacking the systems.

If hackers successfully gain control of the system – by exploiting vulnerabilities, brute forcing the way in or using given information – the next goal is gaining persistence on the system. This can be achieved by uploading web shells to continue communicating with the system. In the INJ3CTOR3 campaign, we saw a few web shells used in several different steps, for different functionalities.

Using the servers for profit

Finally, after gaining a foothold on the exploited servers, the attacker can then make calls to any desired numbers. A possible common usage is using the exploited servers to make calls to International Premium Rate Numbers (IPRN).

When an IPRN is called, the caller is paying the owner of the IPRN per minute, the amount of which depends on the caller’s origin country. There are companies that provide a range of IPRN numbers in different plans.

Figure 21: An example of the rates table taken from a demo service. This includes the prices, the relevant country and a relevant test numbers.

With enough traffic, this model can provide sufficient profit to cover the IPRN costs. For that reason, IPRN services are often used in businesses that put callers on hold, or have many clients (i.e. premium content calls). The longer the clients stay on the line, the more money the company owning the IPRN receives.

Figure 22: A premium number demo-dashboard. Statistics, earnings and information per each of the numbers are seen in the interface.

For these reasons, hackers seem to be focused on IPRN programs. Using IPRN programs not only allows the hacker to make calls but also abuse the SIP servers to generate profits. The more servers exploited, the more calls to the IPRN can be made.

In other words, hackers are considered to be a relevant market to buy IPRN plans. Thus, many posts on IPRN sales can be seen on these forums and pages. We encountered many such posts by several different IPRN providers:

Figure 23: Two of many posts that sell IPRN in different

Attack Impact

As mentioned previously, the attackers’ end goal is to sell outgoing calls from the compromised systems, as well as access to the systems themselves.

Unrestricted access to a company’s telephone system can allow the attackers and their customers to make calls using the compromised company’s resources and eavesdrop on legitimate calls. They can also use the compromised systems for further attacks, such as using the system resources for cryptomining, spreading laterally across the company network, or launching attacks on outside targets while masquerading as the compromised company.

Conclusion

The campaign at hand utilizes an easily exploitable vulnerability to compromise Asterisk SIP servers around the world. In-depth details regarding the vulnerability were never publicly released, yet the threat actors behind the attack managed to weaponize and abuse it for their own gain. As our research shows, the threat actors, who are located in the Palestinian Gaza Strip, share and sell their scripts. This is a phenomenon of an established operation that sets the attacks, finds the targets, and initiates the traffic to premium rate service numbers in order to inflate traffic and gain revenue. It’s not too far-fetched to assume that different attackers might use those scripts to launch their own attacks against Asterisk servers in the future.

This attack on Asterisk servers is also unusual in that the threat actors’ goal is not only to sell access to compromised systems, but also use the systems’ infrastructure to generate profits.  The concept of IPRN allows a direct link between making phone calls and making money. This means that further attacks can be launched from these systems.

Protections

Check Point customers are protected by these IPS protections:

  • SIPVicious Security Scanner
  • Sangoma FreePBX Authentication Bypass (CVE-2019-19006)
  • Command Injection Over HTTP
  • Command Injection Over HTTP Payload

IOCs

Files:

  • ecc5a8b0192995673bb2c471074a3326bbeba431e189654c90afaddf570fb514
  • 8068cf1011f8668f741e2ec61676fa9ce6a23e62ee5b3bdf014540cff06b1ebe
  • d8ab22ceab199512aaada36af245d6621208d887ae0b6510fa198d6075777043
  • c3b805ffe6c988db4c8843625ab2f40cb5196935e727db658b68408b7965de59
  • 7c6cf2e4badbc3d4d29f4e6ed118a77d5f6e0f819244ad25b760329f25f20dd1
  • f1060a686155fbbe7274073c557c24648cdf30a3f3ef2cbb184ccfc41d99fd3b

Hosts:

  • 5[.]133.27.47
  • 37[.]61.220.243
  • 40[.]85.249.243
  • 45[.]143.220.115
  • 45[.]143.220.116
  • 46[.]161.55.107
  • 62[.]112.8.162
  • 77[.]247.110.91
  • 80[.]68.56.82
  • 84[.]111.36.159
  • 92[.]42.107.139
  • 134[.]119.213.127
  • 134[.]119.213.195
  • 134[.]119.214.141
  • 134[.]119.218.49
  • 151[.]106.13.150
  • 151[.]106.13.154
  • 151[.]106.13.158
  • 151[.]106.17.146
  • 156[.]95.156.75
  • 156[.]96.59.63
  • 185[.]53.88.198
  • 185[.]132.248.54
  • 212[.]83.189.43

References

https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/?fbclid=IwAR3vkTNOF1lu87Jyd7TGKFrCEFiB7yKzIrBnHvax4wtV-pGVBaReQpHU0AI