Monday, April 6, 2020

SIP DDoS expected? Customer got a notification about their Avaya SBCE - seems odd and unlikely they could know of this coming attack but curious if anyone knows more.

Reports of this from at least 1 customer who uses Avaya SBCE; anyone else hear anything about this?

Supposedly they got this from a reputable source but I'm wondering how anyone could know of any impending attack - ?

“It has come to the attention of the Avaya security team the potential of a major SIP Denial Of Service attack in the next few days.

As far as we know, the attack is targeted to be launched against major US infrastructure companies in telecom, oil, healthcare, and insurance sectors in a couple of days (perhaps even as soon as Monday). State-sponsored hackers called Advance Persistent Threats APT-28 (Fancy Bear) and APT-29 (Cozy Bear) are believed to be affiliated with Russian GRU (military intelligence) and with some Iranian factions. They are acquiring enormous quantities of BOTs on the Dark Web in preparation for DDoS attacks and training their devices with lists of IP addresses that respond to SIP.

They are using RPC Portmapper DUMPs and SIPVicious scanners to detect IP addresses that respond to their (currently) benign traffic queries that are used for portmapping target devices and networks.

What follows will be a major (terabit/second) attack on major infrastructures in the West. I wanted to share this with you whether you use Avaya SBCs or not.

If using Avaya SBCs, our guidance is to reprogram the SBCs to turn on Denial of Service prevention attacks. SBCs are usually set to “observe” mode. It will need to be turned on and traffic shaping/limiting turned on to prevent further damage.

We can’t confirm 100% this will happen, but I wanted to give you a heads up in case you wanted to make the decision to proactively adjust or have a plan in place.”



No comments:

Post a Comment