Security Manager's Journal: Hackers phone home -- on our dime

Someone is making calls costing thousands of dollars via the IP telephony setup in a small European office.

Trouble Ticket

At issue: A small office in Europe discovers that someone has hacked its IP telephony router.

Action plan:: Update the operating system to prevent toll fraud, and assess the IP telephony setups at offices around the world.

It's been a while since we've had a security breach worth mentioning (that we know of). Last week we had one, and it was an eye-opener.

A small development office in Western Europe was informed by the local telephone company that a high number of calls were being made from the office's IP telephony setup to a Middle Eastern country. When we looked into it, we found that in just 15 days, over $30,000 in calls had been made to several Middle Eastern countries, as well as Russia, China and a couple of Central American nations.

I immediately told the folks in the European office to have the phone company block the suspect call locations, file a police report and send me the complete running configuration from the router.

The office in question came to us through an acquisition about four years ago, well before my arrival. Apparently, the acquired company had just purchased new equipment, including a Cisco router used as a voice gateway for communicating with several other offices around the world. After the acquisition, we retained the Cisco routers, since we use IP telephony extensively.

When the configuration report arrived, I gave it to my security analysts and a few colleagues who are familiar with the secure configuration of Cisco phone gateways. As suspected, an early version of Cisco's IOS software was running on this router and it had no toll-fraud prevention configuration. Since the router wasn't properly locked down, an outside caller could connect to our phone gateway on TCP 5060, obtain a dial tone and make calls.

Unfortunately, it wasn't just a lone hacker who was making calls on our system. The call setup logs had captured IP addresses from around the world, suggesting that the hacker had shared our vulnerability with hundreds of people. While we can't know for sure, it would seem that our configuration was either sold or traded on the black market.

Having diagnosed the problem, we set out to rectify it. We scheduled a change control to have the router upgraded to the most current supported version of IOS, which includes support for toll fraud, and then configured the router to prevent this and other forms of toll fraud.

Next, we took the lessons learned from this one office and applied them to our locations worldwide. We conducted an assessment of all of our Cisco call gateways to determine if any of them were susceptible. Sure enough, three other small offices in Europe and one office in Austin were running vulnerable versions of IOS. (Coincidentally, all of the offices had come to us in various acquisitions over the past three to four years.)

Some Relief

We are fully cooperating with law enforcement and the phone company, and as a result, we may actually be granted some relief from the $30,000 bill.

But this incident has spurred me to further action. I plan to use some of my quarterly budget for vulnerability assessments and penetration testing by hiring a reputable organization to conduct a complete assessment of our global IP telephony environment -- everything from phones and the call manager to unity messaging and the underlying network equipment that enables IP telephony.

And because we acquired so many of these vulnerabilities, I am going to update my M&A playbook to emphasize the need to assess any IP telephony infrastructure we inherit. One final precaution we are taking is to evaluate our options for correlating Cisco call log data and other relevant logs within our recently purchased security incident and event management tool.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in the discussions about security!

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoetworkTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place