What is SIPVicious?
SIPVicious is an auditing tool to scan for phone systems or SIP(Session Initiation Protocol) devices. These tools can be used to identify live extensions on a PBX or Private Branch Exchange via brute force password guessing attacks, SIP devices, softphones and hardphones in the network.
What are SIPVicious scans?
Since SIPVicious is a type of penetration testing tool, it has been used for reconnaissance attacks against IP, VOIP phone, and PBX systems. By default, SIPVicious does not call phones or scan systems but attackers can silently perform INVITE scans or the “call command” in which can be used to attack PBX software. The software of these systems are already updated to disallow scans but INVITE scans bypasses protection that are implemented to PBX systems.
The reason why PBX telephony networks are targets because attackers can find phone lines with weak passwords and then benefit from “free” phone calls at the expense of the victim or a phone host. That is how attackers make money.
In 2014, A threat bulletin has been issued by CISCO against suspicious scans made with SIPVicious. In this case, IP or VoIP telephones are the ones that are scanned. An attack could use any number or SIP address to scan networks to discover live hosts via INVITE sessions. A phone ring will serve as a response and can signify as a successful detection. In this aspect, we can see the similarity of SIPVicious scans to port scans and ping sweeps.
4 Steps to Protect Yourself from SIPVicious Scans
You may want to ask. How do I protect myself from these malicious scans? Here are some ways to keep yourself protected:
1. Block port 5060 when not in use. Port 5060 is associated with SIP and it has been observed that this is the port commonly scanned by SIPVicious attackers.
2. Apply appropriate update to PBX systems. Updating the software of your PBX system can significantly help in eliminating the vulnerability.
3. Install IP or VoIP devices behind a firewall. Configure your firewall so that your devices can only be contacted by your service provider.
3. Have an IDS or Intrusion Detection System (e.g. Snort) It can greatly help in detecting possible attacks that attempts to exploit vulnerabilities related to SIPVicious scans. EmergingThreats.net has Snort Rules available to track SIPVicious scans. Here is an example:
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:”ET SCAN Sipvicious User-Agent Detected (friendly-scanner)”; content:”|0d 0a|User-Agent|3A| friendly-scanner”; fast_pattern:only; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:4;)
ThreatScout is also able to detect these kinds of attack and keep your network always protected even from future attacks and new vulnerabilities. For more information, visit our website at https://www.pandoralabs.net/products/threatscout-siem/
Resources: blog.sipvicious.org  https://tools.cisco.com/security/center/viewAlert.x?alertId=33141