skout-blog

Cybersecurity Threat Advisory 0066-21: Threat Actors Targeting VoIP Providers with DDoS Attacks

Threat Update

In recent weeks, threat actors have been targeting voice over Internet Protocol (VoIP) providers with distributed denial of service (DDoS) attacks that have impacted the mission-critical communications, including 911 services, of numerous organizations. Bandwidth.com has become the latest victim of these attacks, experiencing intermittent service outages that started on Monday, September 27th and lasted for several days.

Technical Detail & Additional Information

WHAT IS THE THREAT?

DDoS attacks are a type of cyberattack in which multiple computers are simultaneously controlled (typically unbeknownst to their owners, who do not realize their devices are infected by malware) by an attacker, becoming bots in a botnet that makes a high number of requests to a server extending beyond its capacity. Consequently, a server’s performance to customers, when faced with a DDoS attack, may degrade and even crash, making the targeted devices, servers, and associated services inaccessible to legitimate users. As they enable customers to make calls over internet-connected servers, VoIP services require their servers and endpoints to be publicly accessible, making them prime targets for DDoS attacks. Recently, DDoS attacks to VoIP providers have been causing unexpected failures for users’ calls and messages, interrupting and often severely impacting business activities. In addition to Bandwidth, Canadian voice-over-IP service provider VoIP.ms, which serves over 80,000 customers across 125 countries, experienced a DDoS attack this September at the hands of a threat actor seeking to extort the company for over 4 million dollars in Bitcoin.

WHY IS IT NOTEWORTHY?

Whether or not the Bandwidth and VoIP.ms attacks were perpetrated by the same threat actor group is yet unknown, but VoIP providers are wary that the attacks may be part of an extortionary DDoS campaign in which threat actors hold providers’ services for ransom, offering to cease attacks on mission-critical communications only if they receive the demanded large sum of money. This may prove to be a worrisome pattern if disruptions in VoIP services become more frequent, threatening the millions of VoIP users with regular disruptions to their communications.

WHAT IS THE EXPOSURE OR RISK?

It is worth noting that even organizations that are not direct customers of VoIP providers like Bandwidth may be affected by DDoS-caused outages as VoIP providers often serve other end VoIP providers like Twilio, which reported disruptions to their services in conjunction with the attack on Bandwidth last week. Among Bandwidth’s other customers are Accent, DialPad, Phone.com, RingCentral, and Microsoft Teams. Thus, any organization that relies on VoIP services may be at risk of being impacted by a VoIP DDoS attack.

WHAT ARE THE RECOMMENDATIONS?

Barracuda MSP recommends the following actions to limit the impact of a VoIP DDoS attack:

  • Maintain alternate channels of communication and have an operational plan in place in the case of an outage with your VoIP provider.
  • If an outage occurs, open a high-priority ticket with your VoIP provider’s support team and get in touch with your point of contact(s) from your VoIP provider to alert them of the problem and prioritize restoration of function.
  • If you notice a degradation in services, check your VoIP’s website for reports of outages. Bandwidth and many other providers offer a service status page that lists known outages and maintenance updates: https://status.bandwidth.com/
  • You can also check Down Detector for the status of a variety of VoIP providers’ services: https://downdetector.com/status/bandwidth/
  • If you suspect a phone number may be affected by an targeted network’s outage, you can confirm the number’s network at Carrier Lookup: https://www.carrierlookup.com/

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.