By virtue of monitoring conversations in illicit forums, our team frequently stumbles across some unwitting enterprise’s data. Often the data is in the form of a database dump, personally identifiable information (PII), account information, or credentials. Occasionally, though, there is something unique.
What’s worse than a data dump?
Recently our team observed a well-known threat actor group, Kelvinsec, publishing some URLs that exposed thousands of WAV files from a Voice Over IP (VOIP) phone system. The files were complete, unencrypted conversations from an insurance company in South America. As you can imagine, the content of these conversations are rife with PII and proprietary information.
Figure 1: Index of WAV files.
This exposure appears to be caused by a gross misconfiguration of an Asterisk IP PBX at a VOIP service provider. The exposure was deeper than the WAV files, too. With some simple directory traversal, one could access log files, configuration files, and even a console for the extensions of the insurance company. Additionally, that console revealed PII of the employees.
Figure 2: Shows a screenshot of the additional data that was accessible via the console.
Figure 3: Display of the insurance company’s VOIP extensions, available via console access.
The Far-Reaching Impact of Negligence
Given that this is a multi-tenant VOIP service provider, it can be assumed that other customers are affected and could be suffering similar exposure. Theoretically, one would only need to know the customer’s company name to be able to access another company’s data in the service provider’s database.
To add insult to injury, our passive vulnerability tools indicated 27 open vulnerabilities on the hosting server. 27! Great job, folks.
Back in January, I wrote a short piece called Signal vs. Noise, venting about how when notified of a breach, many of these companies choose to ignore the issue. This case is unfortunately no different. Our diligent efforts to notify the service provider and the one known affected company fell on deaf ears.
The exposure remains. Innocent people’s information exposed, yet the responsible party ignores the notification.
From a security architecture perspective, these files should have been encrypted at a minimum. While I am not an expert, and cannot say whether there is a limitation to the encryption of these specific files, Asterisk does support file encryption and there is no question that Linux does. Just as important is the misconfiguration and lack of attention to server security. All of this could be avoided with a proper infosec program. Ironically, the service provider has a section on their website attesting to the “secure” nature of their hosted IP PBX.
-Monitor dark web markets for you and your customer’s PII
-Configure your servers properly!
-Use encryption whenever possible
-Have a proper vulnerability management program
-No ignoren cuando un asesor de seguridad trata de contarse con usted. Recuerden que somos sus aliados para salvaguardar su información y la de sus clientes.