[asterisk-users] Paltel subscribers as called parties for SIP attacks (was: Malicious traffic comming from 37.75.210.90)

Tue Aug 6 14:14:19 CDT 2013

For what it's worth, I see similar traffic regularly from:

orange.ps
hadara.ps
ovh.net
iweb.ca
scalabledns.com
securedservers.com
wholesaleinternet.com
hostnoc.net
rackspace.com
hetzner.de

all going to 972-59-* numbers (i.e. Paltel/Jawal mobile customers).

Common numbers are:

972592871970
972597562803
972592170729
972595936848
972599532957
972592170729
972592539831
972592910519
972592577022
972592648299
972599146173
972592264761
972592600109
972598285108
972592910519
972599463826
972597072204
972599327923
972595813485
972598642462
972598431470
972598372537
972597248231
972598431470
…

Now some of these numbers have been short-lived, others have been in use more than 2 years, like 972597562803 which seems to be sloppy tradecraft.

Why would an internet subscriber from hadara.ps, for instance, want to call a Paltel mobile user via some remotely hacked SIP PBX thousands of miles away given than Paltel is partially owned by Hadara Technology Investment Co. (and Paltel leases long-haul infrastructure from Hadara anyway)?

http://en.wikipedia.org/wiki/Paltel

Well, if the Paltel subscriber were actually abroad… say in the US or Algeria or the Philippines, but he didn't want to risk the longest arm of the call being intercepted by Echelon or similar means, then he'd find an ISP in the country which he knew that subscriber to currently be in, and scan its CIDR blocks for insecure SIP PBX's to use to contact the mobile user… relying on domestic privacy protections to inhibit spying on internal traffic to that country.

Perhaps Hadara (or a Hamas cell operating within Hadara) has moved from psyops to more overt means:

http://blogs.norman.com/2012/security-research/cyberattack-against-israeli-and-palestinian-targets-for-a-year

I'm surprised that DHS hasn't taken more interest in this.

Or perhaps they already have, and are operating deliberately insecure PBX's as honeypots.

Coming soon to your AGPS+ coordinates: a Predator drone…

In any case, with all the SIP (and other) abuse I've received from Hadara.ps, they've never once acknowledged a complaint I've sent in… which seems to be tacit approval of the practice.

I'd be curious to know what everyone else's experiences have been like, and why 95% or better of the SIP attacks on my PBX are destined for Paltel mobile subscribers.

Given the number of inhabitants in Gaza, it seems like a statistical improbability.

Certainly not random distribution.

On Jan 6, 2013, at 4:36 PM, Nick Khamis <symack at gmail.com> wrote:

> Hello Osama, and Hisham,
> 
> At 1330GMT there was some malicious activity coming from your network
> IP 37.75.210.90. Please act accordingly. Things that may be of use
> "972599779558"
> 
> N.
> 