Netas Annual Cyber Intelligence Report 2016 v10

CYBER THREAT INTELLIGENCE REPORT
2016

Contents
Executive Summary ...................................................................................................................................... 2
2016 Highlights ............................................................................................................................................. 2
Upward Attack Trend Targeting VoIP Protocol SIP ................................................................................. 2
A New type of VoIP Attack ....................................................................................................................... 5
IoT- Rise of the Connected Machines ...................................................................................................... 5
The Year of the Data Breaches ................................................................................................................. 7
Ransomware (with Strings Attached) ...................................................................................................... 7
Common Cyber Events ............................................................................................................................ 8
2017 Predictions ......................................................................................................................................... 12
NOVA Product Family and Customer Case Studies ................................................................................... 13
Focus Sector ........................................................................................................................................ 13
Issues ................................................................................................................................................... 13
Recommendations .............................................................................................................................. 13
Nova V-Gate ........................................................................................................................................... 14
Fraud Detection and Prevention with V-Gate..................................................................................... 16
Which types of fraud can be blocked with V-Gate? ........................................................................... 17
Samples of a Customer`s Data Generated By V-GATE ........................................................................ 17
VoIP Monitoring Results ..................................................................................................................... 19
VoIP Monitoring Sample Results from Customer Sites:...................................................................... 19
Nova MSP ............................................................................................................................................... 20
Nova V-Spy and Penetration Test .......................................................................................................... 20
NOVA Honeypot Results ............................................................................................................................ 21

Executive Summary
This report contains a summary of the statistics provided by the security products developed by NETAŞ,
the information gathered during consulting services, and the research about cyber security
threats/incidents in 2016. This information summarizes the weaknesses encountered in organizations, the
threats affecting the systems and the countermeasures and solutions.
A honeypot environment was used to identify attackers and detect the types of attacks. It simulates the
behavior of the real systems. The data obtained from the honeypot environment, which is called NOVA
honeypot, is deeply analyzed to determine the attacks and attackers in this report.
The result of statistical data shows us attackers living in different regions use similar types of scanning
activities. A honeypot is a useful tool for a variety of reasons such as tempting and trapping attackers,
capturing information and generating alerts when someone is interacting with them.
With the established Honeypot environment, some statistical analysis methods can be employed to
determine the type of the attack, the frequency of attack and the region where the attack was started. In
addition, the results and data obtained from the statistical analysis can be very useful for NETAS Cyber
Security projects and operations center. For example, collecting malware samples, discovering new types
of attacks, attack tools and payloads will help us to discover future defense methods against unknown
attacks.
2016 Highlights
An unprecedented volume of cyber-attacks has occurred in Turkey and Worldwide over the years. 2016
agenda consists of DDOS attacks on the backbone DNS, ransomware, and targeted malware attacks on
mobile platforms and cyber espionage on critical infrastructure. There have also been incidents of leakage
of critical private data belonging to the governments and individuals from payment systems, social
platforms, banks, government agencies. IoT has made a transition from being mainly a topic of theoretical
and academic discourse to a vivid threat, arousing keen interest in the cyber security industry, and the
cybercrime and hacker communities alike. As a result of numerous sources of research, we correlate
significant outputs below. Some of our sources are IBM X-Force reports, CFCA survey, new papers from
different universities and countries, Sensecy Annual Report, ESET trends 2016 report and Akamai
statistics.
Upward Attack Trend Targeting VoIP Protocol SIP
There are numerous protocols used in Voice-over-IP (VoIP) communications. According to IBM Managed
Security Services (MSS) data 1 , the most targeted VoIP protocol is Session Initiation Protocol (SIP),
accounting for over 51 percent of the security event activity analyzed in the last 12 months.
1
http://www.foerderland.de/fileadmin/pdf/IBM_XForce_Report_2016.pdf

Top Targeted VoIP Protocols
1%
48%
51%
SIP Cisco SCCP H225
Figure 1: Top Targeted VoIP Protocols
SIP is one of the most commonly used application layer protocol in VoIP technology, so it’s not surprising
that it’s the most targeted. In fact, we found that there has been an upward trend in attacks targeting the
SIP protocol, with the most notable uptick occurring in the second half of 2016.
In actual attacks on VoIP communications, we note various types of disruption. Spikes in July and
September were mostly the result of specially crafted SIP messages that were terminated incorrectly.
Persistent, invalid messages are known to cause vulnerable servers and equipment to fail. The spike in
October 2016 was largely influenced by SIP messages with invalid characters in the SIP “To” field. These
could be reflective of suspicious activity, necessitating further investigation.
The second most targeted protocol, Cisco’s proprietary Skinny Client Control Protocol (SCCP), accounting
for just over 48 percent of detected security events during the same time period. SCCP is a lightweight,
IP-based protocol used for communication between Cisco Unified Communications Manager and Cisco
VoIP phones. Unlike attacks targeting SIP, those targeting the SCCP protocol have been declining slightly
over the past 12 months.
Figure 2: Attacks Targeting SIP Protocol

A large majority of the security events targeting the SCCP protocol — nearly 74 percent — are actually
pre-attack probes that enable the perpetrators to examine device capabilities and gather information on
potential targets. Finally, H225 protocol, which is a part of H.323 protocol suite, accounted for less than 1
percent of the activity.
When it comes to unsolicited information, we’ve gotten pretty good at dealing with or reducing email
spam in our inbox. But what about spam over internet telephony (SPIT), also known as VoIP spam? These
unsolicited, automated phone calls made from internet-provided numbers are just as annoying as junk
mail.
Since it is connected to the same pipes as spam, so to speak, VoIP technology has aided the proliferation
of robocalls, allowing scammers to make illegal calls from anywhere in the world. It floods consumers and
businesses with marketing calls, surveys, and even identity theft scams, also known as vishing.
VoIP technology allows malicious individuals to conduct caller ID spoofing with minimal cost and effort.
This enables attackers to obtain information or facilitate additional scams against their targets. A February
report, for example, highlighted issues with certain VoIP phones that had insecure default configurations,
which allowed attackers to set up, receive and transfer calls, play recordings, upload new firmware and
even use victims’ devices for covert surveillance.
VoIP services are also subject to abuses such as toll fraud, which involves taking control of network access
to avoid paying for telephone calls. VoIP phone consumers should avoid blindly relying on the
manufacturer’s default security settings and use strong passwords.
Figure 3: Fraud Losses Globally 2
2
http://cfca.org/fraudlosssurvey/2015.pdf

Summarily, Encountered Risks and Challenges
VoIP traffic fraud Toll Fraud
Caller ID Spoofing Attacks
Lack of VoIP and network security awareness
Wangiri, SPIT calls and DDoS attacks
Conversation Eavesdropping / Sniffing
Not implemented Proprietary policy rules and management of operation issues
Asset/source management problems and not measuring the Quality of Service
A New type of VoIP Attack
An attacker can carry out a distributed denial-of-service (DDoS) attack by flooding a company’s telephone
service with thousands of junk calls per minute from automated IP dialers. A phone DDoS attack could
cripple an organization that relies heavily on its phone systems. The method has even been used to
prevent fraud victims from calling their banks after large sums of money were stolen from their bank
accounts.
Security researchers from the University of California, Irvine; the Sapienza University of Rome; and the
University of Padua were able to reconstruct the sound of keystrokes as text from Skype voice and video
calls. Malicious eavesdroppers could use this method to intercept sensitive and personal information of
Skype users.
The researchers developed a new type of practical keyboard acoustic eavesdropping attack, which they
called “Skype & Type” (S&T). The idea behind this research was that many people do other activities, such
as typing on their keyboards, while they do VoIP (Voice-over-IP) calls.
According to the researchers’ paper 3 , VoIP software can acquire acoustic emanations of pressed
keystrokes and then transmit them to others in the call. Normally, this wouldn’t be an issue if you trusted
the person on the other side of the line, but calls could be intercepted, and the eavesdropper could be
capturing the VoIP users’ keystrokes.
An attacker could capture keystrokes this way with an accuracy of 41.89% if there is absolutely no
knowledge of the keyboard being used or of the target’s typing style. However, the accuracy goes up to
91.7% if there is some knowledge about the keyboard used and the user’s typing behavior.
IoT- Rise of the Connected Machines
The end of 2016 has witnessed a huge surge in the volume of DDoS attacks. Most have had one common
denominator – a botnet dubbed Mirai, a combination of various infected IoT devices, such as CCTV
cameras, DVRs, routers and more.
3
https://arxiv.org/pdf/1609.09359.pdf

Figure 4: Three of the major DDoS attacks conducted using IoT botnets
Although it is a very recent technology, the first signs for this new threat vector were visible in the past
two years, with malicious actors engaging in IoT exploitability and attacks utilizing these devices. As in
other threats that matured over the same period, online discussions and chatter on closed underground
forums proved to be valid precursors for new attack vectors and modi operandi.
Given this fact, these attacks, and those that followed are just a symptom of a process that transpires in
underground hacking communities. IoT botnets are not new. In 2015, for example, the source code of
Bashlite, another IoT botnet, was leaked online. Furthermore, the devices themselves, including CCTVs,
routers, and DVR were connected to the Internet long before 2016. However, bringing these devices
under one umbrella of IoT and the rapid growth in this field, combined with the interest it reused in a
variety of circles, had an effect on hacking communities. Since early 2016, we have seen a number of
hacking forums on the English-speaking underground with opening sections dedicated to IoT hacking.
Figure 5: Three of the Major DDoS Attacks Details 4 5
4
https://thehackernews.com/
5
http://www.hackmageddon.com/category/security/cyber-attacks-timeline/

The Year of the Data Breaches
With close to two billion records have been leaked from hundreds of websites and services, 2016 has
witnessed an exponential growth in data breach incidents. These incidents led to the compromise of
various user details, including email addresses, passwords, usernames, full names, phone numbers and
much more. These login credentials, which in many cases were reused on multiple platforms and services,
were stolen from social network websites, such as LinkedIn, Tumblr, VK, gaming platforms, adult content
websites, and others.
Figure 6: Top 10 data breaches 6
While closely monitoring activities on closed sources where many of the leaked databases are offered for
sale, we noticed a pattern – data stolen years ago is only now being offered for sale. This delay reveals an
interesting process regarding many high-profile data breaches.
Ransomware (with Strings Attached)
Although not a new phenomenon, 2016 was a record year for ransomware. The threat, which since late
2014 has shown exponential growth, both in sophistication and in sheer numbers, has, according to
several sources, peaked as the top malware during 2016. 7
With ransomware targeting various organizations, including defense, 8 healthcare 9 , and transportation 10
to name but a few, 2016 has been a highly “productive” year for ransomware distributors, with the record
from 2015 already shattered in Q1 of 2016. 11
6
Source: haveibeenpwned.com
7
https://antivirus.comodo.com/blog/computer-safety/locky-ransomware-leads-in-malware-infections/
8
http://www.securityweek.com/ransomware-attack-hits-cape-cod-police-department
9
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kansas-hospital-hit-byransomware-extorted-twice
10
http://www.usatoday.com/story/tech/news/2016/11/28/san-francisco-metro-hack-meant-free-ridessaturday/94545998/
11
https://blog.barkly.com/ransomware-statistics-2016

Added to the equation are the staggering numbers of new ransomware families and variants surfacing
during the past year. While known families, such as Locky, Cerber, and CryptXXX are making the rounds
around the globe, over 44,000 new variants of known ransomware have emerged. 12 Although many of
these variants did not evolve into a real ransomware trend, ransomware is worth mentioning while
reviewing 2016.
Figure 7: Overall ransomware infections by month and top ransomware detections in top countries- Source: Symantec and Microsoft
Common Cyber Events 13
With regards to Cyber Crime, the most important recent events are probably the news related to the
alleged hack against the Central Bank of Russia, happened on an unspecified date of 2016, and ensuring
a bounty of the equivalent of $31 million to the attackers, and the mega breach affecting the 82.5 million
users of Dailymotion. Other “minor” breaches impacted Shiseido (420,000 customers involved), Health
Solutions (35,000 records), Quest Diagnostic (34,000 records), and Kagoya (50,000 users affected).
And while SWIFT revealed that it is still warning banks of a new wave of attacks, the Mirai botnet was also
quite active: thousands of customers from TalkTalk, the UK Post Office, and Eircom have lost their internet
in the wake of yet another attack carried on by this IoT-powered botnet.
ThyssenKrupp was also on the spot when the news emerged of a sophisticated attack starting earlier in
February 2016 and discovered only in April of the same year. This was not the only important event in
Germany since the domestic intelligence agency reported an increase in targeted cyber-attacks against
political parties.
Moving to a different sector (Cyberwar), an important event has been registered in Saudi Arabia (and
apparently the outbreak is still ongoing) where a new version of the infamous Shamoon wiper malware
12
https://securelist.com/files/2016/12/KSB2016_Story_of_the_Year_ENG.pdf
13
http://www.hackmageddon.com/category/security/cyber-attacks-timeline/

(allegedly originating from Iran) has paralyzed eight Governmental institutions including the Central Bank
in November 2016.
A massive campaign occurred against Android users dubbed Gooligan, the return of the infamous Fancy
Bear APT group (AKA APT8), and another hack against Mark Zuckerberg’ Pinterest Account in November
2016.
Adultfriendfinder.com hacked again with the consequent leak of a stunning 412 million records. Other
massive breaches include the leak of 780,000 job applicants’ records suffered by Michael Page and the
one affecting the confidential personal records of over 34 million residents in the Indian state of Kerala
The City of El Paso has also been hit hard and robbed of about $3 million after a phishing scam, like Tesco
Bank, whose 9,000 customers had money stolen from their account for a total cost of the attack of GBP
2.5 M (USD 3M).
On the Cyber Espionage front, this fortnight has seen the return of APT28 and APT29, whilst the
Anonymous came out of the blue, DDoSing Scotland Yard in retaliation for the arrests during the annual
Million Mask March in London.
October 21, 2106, the day the internet died. will be remembered for ages, and, besides this event, which
is undermining our certainties, the list of the noticeable attacks is quite well populated: Weebly was hit
by a massive breach, probably occurred in February 2016 (43 million users), Foursquare is on the list as
well (23 million victims from a breach purportedly occurred in December 2013, even if the company did
not confirm it), AdultFriendFinder was also hit (again) and 73 million accounts are floating on the dark
web, and finally the details of 3.2 million cards belonging to customers of top Indian Banks were also
leaked in one of the worst incidents ever.
Other interesting events include the discovery of a long lasting campaign by the infamous APT28 AKA
Fancy Bear, (over 1,000 high-profile individuals across the globe between 16 March and 14 September
2015, and the return of Anonymous-affiliated hackers.
200 alleged Yahoo! accounts have been published on the Real Deal marketplace by Peace, the same
hacker who had previously sold the DB dumps of MySpace and LinkedIn.
But this has not been the only mega breach of this fortnight: 15 million Iranian users of Telegram have
been compromised by attackers tied with the infamous state-sponsored group Rocket Kitten, 3.7 million
customers of Banner Health, an Arizona-based healthcare group, have been equally compromised
(unfortunately the trail of massive breaches affecting healthcare continue), and finally, hackers belonging
to the Pravy Sector collective have dumped more than 150GB of data from Central Ohio Urology Group.
Other interesting events in cyber crime include the discovery of malware in 20 locations of HEI Hotels &
Resorts, the chain that owns Starwood, Marriott, Hyatt, and Intercontinental hotels, the hack against
Bitfinex, in which hackers made off with $65m worth of Bitcoins (£48m, €57m), creating a turmoil in the
value of the cryptocurrency, and the wave of DDoS attacks orchestrated by the PoodleCorp collective
against several video games portals such as Blizzard’s battle.net or the PlayStation Network.
And whereas the Anonymous turned their attentions mainly against Brazil, because of the Olympic Games
of Rio2016, the list of cyber espionage operation is really too long to summarize.
Pokemon GO is a massive phenomenon. So massive to attract the unwelcome attentions of the OurMine
and PoodleCorp crews, who purportedly took down the server infrastructure in two distinct attacks.

The OurMine collective was also involved in other primary Twitter accounts hijacks (Shuhei Yoshida, the
president of worldwide studios at Sony, and, John Hanke, the CEO of Niantic, the studio that developed
Pokemon GO), but also belonging to Sarah Silverman’s account was hacked in the same period.
Other massive breaches were reported, targeting Interpark, a South Korean E-Commerce Company (10.1
million users affected), and two video games: the forum of Clash of Kings (1.6 million) and Warframe
(775,000 users affected).
Two more weeks, two more mega breaches: the total of account siphoned from Tumblr and MySpace
exceeds 300 million setting a new unwelcome record. But that was not the only remarkable event for this
fortnight, which also revealed the real extent of the SWIFT hack, involving 12 additional banks.
The hacktivists were also quite active in this period: the Anonymous added other targets to their OpIcarus,
and also leaked 2 GB of data from 33 Turkish hospitals. Phineas Phisher, the infamous hacktivist behind
the attacks to Hacking Team and Gamma International was back, leaking the details of several cops from
the Catalan Police Union (and posting a tutorial on YouTube).
In this period also registered several Cyber Espionage operations, such as the attack against RUAG, a Swiss
defense contractor (probably orchestrated from Russia) and the operations Stealth Falcon (against Emirati
journalists, activists, and dissidents) and OilRig (against Saudi Arabian financial institutions and technology
organizations).
1.5 million: this is the number of customer records stolen from Verizon Enterprise Solutions, and put
published on an underground forum, in which can be considered the most important event of this
fortnight. This event has shadowed another massive breach, in Japan, where the local police have
discovered over 18 million user credentials hosted on a server of a local Japanese company, which allowed
Chinese hackers to use its infrastructure for their attacks. Last but not least, these two weeks have also
seen an unusual number of malvertising events with several high-profile victims.

The Anonymous were also quite active: most of all in the Philippines where hacktivists affiliated with the
movement have dumped the entire populations of voters, consisting of 55 million records. Other minor
operations hit Canada (a mining company), Kenya (a refinery), and Angola (28 government websites).
The Cyber War between India and Pakistan seems to be far from a conclusion. These two weeks have
reported two operations carried on by Pakistan against India, one of which is quite particular: a malicious
app uploaded in the Google Play Store, immediately become quite popular among the Indian Army, which
allowed the Pakistani to snoop on the enemy’s conversations.
Even if this fortnight has not been particularly rich of events from a mere numeric perspective, a few
breaches are destined to be remembered for long for the consequences not necessarily limited to the
InfoSec community. I am obviously talking about the Mossack Fonseca leak, the dump containing the
records of “50 million Turkish” citizens, and the 43 GB of data belonging to the Syrian Nation Agency for
Network Services. The list of the victims of massive breaches also included Naughty America with its 3.8
million accounts.
On the Cyber Espionage/Cyber War front, this has been quite a tough period for Sweden whose air traffic
control system has been allegedly targeted by Russian hackers (a solar storm according to the official
version). In the same days, the Swedish Armed force has revealed that their military computers were
hacked and used in an attack targeting major US banks in 2013… Not a great reward for a military network.
And while the Cyber War between Armenia and Azerbaijan reached new levels (with the involvement of
Turkish actors), there is nothing particularly meaningful to mention related to hacktivism. Like every year
hacktivists from all over the world threatened Israel in occasion of the so-called #OpIsrael declared for
April 7th. However, following the trend of the last few years, the damages (if any) were absolutely
negligible.
Regarding the first trend, there have been several noticeable events: a trove of passwords discovered in
the dark web (a total of more than 300 million accounts spread in two different leaks and belonging to
different services such as Google, Microsoft and mail.ru), and the alleged hack of two additional services
(Fling.com, an adult site, and Neopets, a virtual pet community), compromising millions of accounts.
The hacktivist has quite “hacktive” as well (it reminded me the “good old days”). Despite their action has
been limited to DDoS attacks, the list of the targets is quite long and includes, among the others, the Bank
of Greece and the Bank of England.
Other interesting events include the release of the leak of UAE Investbank and the discovery of a longlasting
campaign orchestrated by Iranian actors.
This fortnight has shown quite a high number of events, in terms of the impact the most important ones
hit two companies, a bank (Crelan) and an aerospace industry (FACC), which lost respectively USD 75.8
and 54.5 as the effect of a BEC (Business Email Compromise).
Another remarkable event concerns a “possible” hack of NASA. The term “possible” is more than justified
here since there are many doubts regarding the fact that the attack really happened.
And while Israel and Ukraine were the victims of more cyber-attacks against their critical infrastructures,
HSBC was flooded by a DDoS attack, the Cyber War between Armenian and Azerbaijani hackers added
new chapters, and the Anonymous continued their personal war against the Taiwanese government.

2017 Predictions
NOVA Research Center review some of the most important events of the year globally, and their impact
on the worlds of the ICT users. It is difficult to sum up everything in one phrase. Important issues that we
may encounter regarding cyber crime in 2017 are listed below 14 :
It will be hard to determine who participated in the attacks: With cyber-attacks playing an
increasingly important role in international relations, knowing who is doing the attacks will be a
fundamental problem in terms of steps such as political retaliation. The search for identification
will bring about an increase in the number of criminals who leave misleading clues about their
identity.
The Rise of Information Wars: In 2016, the World began to take the misuse of leaked information
seriously. Such attacks are expected to increase in 2017, and there is a risk that the attackers who
might benefit from the tendency of people to believe in this kind of data, disclose such
information as partially or fully manipulated.
Experts predict an increase in the number of attackers in the so-called "Robin Hood" style, which
attacks to systems for the good of the majority.
Increased Vulnerability against Cyber Sabotage: Critical infrastructures and production systems
of vital importance will continue to attract attackers in the geopolitical periods of tension, as long
as the internet remain connected, with little or no protection.
Mobile Espionage: Especially targeted are the mobile devices and as the security industry will
have difficulty in obtaining full access to mobile operating systems for forensic analysis, espionage
activities are expected to take place more often.
More Advanced Financial Attacks: It is anticipated that attacks such as the SWIFT robbery in 2016
will be improved using advanced methods. Resources that specialize in this matter will be shared
in underground forums or sold as services.
Payment Systems in Danger: Various payment systems are becoming increasingly popular and
are expected to attract more attention from attackers.
Break off the “Trust” in Ransomware: While experts predict that the rise of ransomware will
continue, they also anticipate that victims will no longer trust the attackers, that is, they will not
believe that their data will be returned if they make a payment. It is anticipated that this will be a
turning point for people ready to pay.
Device Integrity on Overcrowded Internet: There is a high risk that hackers will be able to handle
and pawn as many devices as possible, while Internet of Thing (IOT) devices vendors continue to
produce unprotected and vulnerable devices.
The Criminal Attraction of Digital Advertisements: In the next year, we will see like tracking and
targeting tools we are used to seeing in the advertising industry are being used to track so-called
activists and opponents. Similarly, ad networks that offer excellent destination profiling
capabilities through IP address combinations, browser information detection, interests, and sign
on selections will be used by targeted cyber-espionage agencies.
14
Kaspersky- Predictions for 2017 report.

NOVA Product Family and Customer Case Studies
As Department of Cyber Security at NETAS, we have cyber-security products and services namely,
Assessment Tools to find vulnerabilities, Penetration Test Service, and next-generation firewall, which are
all gathered under our brand NOVA. NOVA brand is a result of our studies on cyber security area with our
46 years of R&D experience. All the products are developed locally in Netas R&D labs. NOVA has cyber
security projects such as VoIP, WEB and IoT security, big data security analytics, mobile malware analysis
and security operation center.
Nova cyber security product family consists of 3 different products and penetration service.
Nova V-Gate – Detecting and preventing VoIP threats and frauds via IDS/IPS mechanism. V-GATE
is ready to accomplish your security by performing deep packet inspection, statistical and
behavioral analysis, detecting anomalies and preventing VoIP attacks, VoIP monitoring and
operational management via policy rule editor.
Nova MSP – Make a secure multimedia communication via Media Security Platform, NOVA MSP.
It can achieve secure media transfer enriched with various security methods and flexible crypto
algorithm usage, enabling secure voice and video communication, file and message transfer, and
whiteboard usage
Nova V-Spy – V-SPY is an automated enriched VoIP penetration test suite including a rich variety
of VoIP attack modules, detailed reports of security measures via the expert system.
Nova PenTest – Pentest Services test the applications, infrastructure and devices themselves to
ensure they are protected from VoIP, WEB and Unified Communications-related attacks.
www.novacybersecurity.com
Focus Sector
Telecommunication (Mobile, Internet, and VoIP Service Providers) Service Providers
Enterprise Companies
Honeypot
Issues
Financial and tax losses via Toll & Traffic Frauds
Denial of Service
Social engineering via Caller Id Spoofing
Eavesdropping and Privacy
Loss of reputation
Losses due to quality of product & service
Recommendations
Creating a secure VoIP infrastructure begins with identifying vulnerabilities and reporting
solutions. For this, it is advisable to use specialized vulnerability analysis tools and security experts
to detect logical errors.
Using VoIP Firewall products, which detect and prevent incidents and attacks by performing indepth
instant data analysis without delaying the voice traffic, with dynamic rule creation and
filtering against intelligent and unknown attacks. With application layer level analysis, they can
detect known attacks as well as the abnormal situations of zero-day attacks by performing
message analysis and status analysis. In addition to the network security, service abusing and
unauthorized call prevention with real-time alarms will be protected from big damages.

Using VoIP IDS/IPS products that will prevent VoIP traffic and toll fraud, identify social engineering
and contribute to operational management. It is possible to provide a complete solution by the
coercion of the legislator and cooperation of the operators.
Security measures in traditional data networks cannot be applied to the VoIP world. Without
performance problems, there must be applications that are working on time-critical data.
Standards for VoIP Security must be defined. It is recommended that separate security standards
be provided for producers, vendors, and users and ensuring compliance with these standards.
VoIP monitoring products should be used to increase the service quality by measuring VoIP
services.
VoIP Operational Management tools for prioritization and management of VoIP services
Handling secure mobile communications platform (secure voice, messaging and sharing) which
allows complete control over the infrastructure, enforcement of privacy and regulatory
compliance requirement.
Nova V-Gate
Most attacks targeting the VoIP infrastructure make use of the signaling technologies. SIP is the most
common signaling protocol used for VoIP communications. Therefore, an application level firewall is
required to protect the system. NETAS VoIP Firewall was designed in order to fulfill this requirement.
NETAS VoIP Firewall is not a solution that only detects anomalies and prevents attacks, but also detects
and prevents VoIP frauds such as toll fraud, premium rate services.
V-GATE is a modular, transparent, high-performance VoIP firewall aimed at protecting VoIP systems from
high costly, damaging attacks by preventing known and unknown application-layer attacks such as toll
fraud, premium rate services, Dos/DDoS/TDoS, brute force, fuzzing.
It is designed against attacks that lead to great damage, including damages that cause deactivation as well
as revenue and reputation loss. Nova V-GATE attack prevention system protects servers providing VoIP
communication against known and unknown attacks. It is the first domestic firewall preventing a broader
range of attacks compared to its international competitors and includes different detection and
prevention methods for toll frauds.
NOVA V-Gate, which started to work actively for our customers in 2016, reveals the existence of
unidentified attacks. Unfortunately, the same sensitivity is not shown for VoIP environments while the
Internet infrastructure is monitored regularly. By analyzing the data collected from our customers in 2016,
fraud calls in the VoIP infrastructure, caller id spoofing, and service interruption, making unauthorized
call/dropping authorized call, unbilled calls, and policy violation can be detected.

Figure 8: Nova V-Gate Components
Protocol Attack Detection
and Prevention
DOS/DDOS
Attacks from same IP or IP
groups
Attacks from different IP or IP
groups
Attacks from same user or user
groups
Attacks to same user or user
groups
FUZZING
SIP Syntax control
SQL Injection
SIP ANOMALY
Brute Force
Enumeration
Bye/Cancel Tear Down
CLI Spoofing
TRAFFIC FRAUD
Too Many Hops Detection
False Response Routıng
Trusted/Untrusted Route
Operational
Management
User Group and Prefix
User based Call Monitor
Flexible Policy Rule Editor
According to call
features, blocking or
allowing options
o Caller/Called
Number
o User/IP Groups
o Domain
o Message types
o Call direction
o Call time
o SDP Media
Information (Codec
type, media
attributes, etc.)
VoIP Monitoring
Call state monitoring
with cause codes
Successful calls
Error calls
Unsuccessful calls
Blocked calls by Nova
V Gate IPS
Multi-Contact Header
Support
LCR featured call
monitoring
Multi-source and
destination VoIP
Monitoring
Advance Reporting
Call state
monitoring
Trunk based call
monitoring
Data Analysis
Statistical data analysis on
CDR data
Group based call direction
report
Anomaly detection
Behavior-based user
analysis
Call number
Call duration
Call direction
Call time
Worktimes
Time off
Fraud Type definition
According to fraud types,
user group definition
Table 1: Nova V-Gate Components

Fraud Detection and Prevention with V-Gate
Traffic and Toll Fraud
IDS- Flexible, Multi Parameters Rule Policy
o Calls in a specific time frame:
o Weekdays, Weekends, Work-hours, Off-hours, etc.
o Certain numbers of Calls
o Certain duration of Calls
o Forwarded Calls
o International Calls
o Calls belonging to certain User Groups
o Calls towards groups
Real-Time Actions (IPS Proactive Approach)
o Alarm, Log
o Block next calls
o Rejection
o Termination of active calls
o Monitoring and Reporting Fraud suspected calls
Figure 9: Nova V-Gate IDS-IPS Components

Which types of fraud can be blocked with V-Gate?
Fraud Type
F1
F2
F3
F4
F5
F6
F7
F8
Fraud Scenarios
Small number of calls with long durations
Large number of calls with short durations
Long duration calls within a specific slice of time
Large number of calls towards specific category within a specific slice of time
Long duration calls towards specific category within a specific slice of time
Long duration multiple calls from the same user towards the same destination at the
same time
Large number of short duration calls from the same user towards the same destination
at the same time
Large number of Long duration calls towards specific category within a specific slice of
time
Samples of a Customer`s Data Generated By V-GATE
Table 2: Fraud Types prevented by Nova V-Gate
Figure 10 indicates most of the Fraud types observed in one of the Service Providers. It seems that
fraudulent users have tendency of making small numbers of long duration calls (F1 in Table 2) and of
making long duration calls in a specific period of times (F3 in Table 2)
Figure 10: Fraud Calls Percentage Based On Fraud Types
It can be figured out that prevented Fraud calls mostly are made towards regions with high calling charges
(See Figure 11 and Figure 12). Service Providers generally classify each international numbers based on
the calling price. While K5 is assumed as the most expensive international regions, K1 is the least. It is
inferred from the below figures (Figure 11 and Figure 12) that K5 as a destination Category and Uganda
as a destination country is the most targeted destination points by the fraudulent users.

Figure 11: Percentage of Fraud Calls Prevented
By V-GATE Based On Destination Category
Figure 12: Percentage of Fraud Calls Prevented
By V-GATE Based On Destination Country
Figure 13 gives average call durations for international calls made towards each call destination category.
It is obviously seen that there occurs a peak in call durations of calls towards K5 between 0.00 and 04.00.
This is a typical F1 Fraud type behavior which points out a small number of long duration calls. Fraudsters
generally prefer night hours to make long duration calls towards the high-cost destination numbers.
Mean Call Duration (sec)
F1 Fraud type (Small
number long duration)
can be seen among
the calls towards K5
Hour
Figure 13: Hourly Average Call Durations Based On Call Destination Category

VoIP Monitoring Results
• Outbound calls have higher error rates than inbound calls.
• Most of the Errors of call setup:
o
o
o
o
Decline (just only outbound calls)
Address Incomplete
Busy here
Service unavailable.
Suggestions for Effective Use:
• More effective network management rules can be defined on the V-GATE Group Based structure by
creating IP / Trunk / User Groups according to the IP and user information of the caller.
• Call management can be provided by creating Policy Rule to control internal and external hours
behavior.
• By controlling the call duration on a case-by-case basis, it is possible to limit the number of users
exceeding certain usage.
VoIP Monitoring Sample Results from Customer Sites:
In Figure 14 and 15, one of the VoIP Monitoring abilities of V-GATE can be examined. A customer can see
how much of the calls were successfully completed, how much of them remained unanswered, or how
much of them were ended with errors. Besides, the cause values of Error calls reported by V-GATE can
contribute to the customer awareness of the main causes of the errors in their traffic.
Figure 14: Percentage of Call Completion States
Figure 15: Percentage of ERROR Calls Based on Error
Reason

Nova MSP
We are providing protection with our NOVA MSP solution against the attack on mobile communications,
which has a rapidly growing share of security research in recent years. The MSP product, which was
started to be used in 2016, have end-to-end encryption, secure video conference, and encrypted file
transfer features. It prevents man in the middle attacks and data breaches. We are continuing our R&D
activities in this area and we aim to take our place in corporate messaging platforms and offer new
solutions with advanced features.
Nova V-Spy and Penetration Test
Last year, it has been observed that institutions with very large ICT systems (Adobe, eBay, etc.) are
exposed to cyber-attacks and data leaks, even though there are many defensive devices and applications.
The most important factor in the formation of this situation is now shown as changing the types and
methods of attack by changing the rules of the game. According to a study conducted, it is found that 66%
of these attacks are detected during a security breach, especially in large institutions. 87% of detected
security violations are discovered by external sources. After that, Offensive and defensive tools and
methods will be used together. Like an attacker, penetration test experts simulate hacking scenarios on
real production systems. In this regard, weaknesses and vulnerabilities in the organization can be detected
before the attack.
Figure 15: Cyber Security Evaluation
Network and Web application security assessment and evaluation process is performed by V-Spy and
Pentest service. By analyzing all the tests that can be done in a whole and not a partial view of security,
tests are carried out with an approach focused on the results that will benefit the customer.

In the tests we have done so far;
decrypting the encrypted security codes via capturing network packets and utilizing added value
penetration test
Spoofing the any customer’s phone number (caller id spoofing) and using this number to bypass
call center control mechanism (OTP Message).
Call generation with customer call center number to company’s customers
Information gathering from web services
VoIP PBX and network devices are vulnerable to password attacks (dictionary, brute force)
Detected vulnerable components to DDOS/TDOS attacks from Internal network
Active call dropping can be done with registered users on IP PBX management application
No monitoring or prevention solution detected on VoIP infrastructure.
Other security tests include password cracking, call eavesdropping, data leakage, call dropping, crashing
and slowing down systems, traffic and toll fraud, Premium rate services fraud, situations have been
identified. Operators' Traffic / Roaming / Toll Fraud attacks and IP-based blocking instead of user-based
losses are noteworthy.
NOVA Honeypot Results
The main location of this honeypot is the NETAS R&D labs in Turkey. It takes part in the isolated side
(Demilitarized Zone-DMZ) of the internal network. Simulation environment opened directly to the
Internet, all incoming requests are logged and statistical analyses are carried out. The packages used for
the attack was analyzed through deep packet inspection. Malware and payload commands are extracted
and stored.
Figure 17: NOVA Honeypot Architecture
Table 3 presents a short statistics, to get a better understanding of the data which was collected in the
honeypot. The numbers cannot be directly compared, but the table gives a short impression for the results

of the following analyses. The Dionaea collects more packets compared to Kippo honeypot because it
listens to more services ports compared to Kippo. However, Kippo detects a lot more source IP addresses.
The system in honeypot provides a larger range of destination IP addresses and collects all SIP messages
directed to the Asterisk PBX. However, in all of the components, the origin of the attack is very much alike.
Table 3: Basic Statistical Results of the honeypot
NOVA honeypot system, located in front of VoIP systems, was launched in June 2016. Until today, there
has not been any complicated malware attack, but Kippo has been attacked by various services. While
Telnet was the most popular service, attacks in worldwide were equally spread among other services. In
Figure 18, these attacks are port-based, and Figure 18 shows countries infographic. Attacks against
honeypot on Turkey most frequently come from China, Vietnam, Russia, Brazil, USA, and Canada.
Figure 18: Origin of Attack Globally
According to collected data, the most attacks came from SIP (port 5060) protocol. Although it is not open,
attackers tried to access to 23 ports through Telnet service. In password attacks, root/123456 and
admin/admin combination have been most tried. Another thing to notice is that IoT devices such as
raspberry pi and arduino are targeted when looking at the commands executed in SSH sessions and the
password attempts. A total of 1350 instances of malware were collected and the system was
compromised through the SSH service 9 times and the OS commands was executed. 436 Web addresses
(URLs) are used in the attack vectors. Although there were many VoIP message traffic during the
monitoring period, a full conversation was not established and no fraud case occurred.

Figure 19: Most Attacked Service
It is easy to say that 5060 port of the SIP (Session Initiation Protocol) which is a VoIP protocol is second in
the attack sequence as well as the most attacks come through the 23 port of the telnet protocol. When
the statistics are considered, it is seen that more than one attack is performed from the same IP addresses
so we think that most of the attacking clients could be automated vulnerability scanning tool, not a
human. We see that these automated tools perform operations such as port scanning, service discovery,
the discovery of operating system and vulnerability scanning in the scanned systems. For example, we
found some SQL query payloads to exploit SQL injection vulnerability in the attacking log.
When we look at the distribution of the attacking countries according to the time, we predict that a
specific attack tool is being accessed from different countries by using self-concealing methods such as
VPN and tor.
In the honeypot systems, we captured 200 malware sample. After the scanning that malware samples via
Virustotal which involve multiple antivirus engines, the results show that a unique malware family from
Conflicker Trojan based. It uses Microsoft MS08-67 vulnerability. Figure 20 shows that type of malware
distribution.
The NOVA Honeypot started working in June 2016. Therefore, we considered data collected over a period
of 6 months, from June 2016 to December 2016.

Figure 20: Type of Malware
We identified 210,862 common IP addresses among Dionaea, Kippo 965 IPs, and V-Gate 375 IPs. It further
endorses the hypothesis that attackers scan a wide range of IP addresses while performing SIP-based VoIP
attacks because a large IP-range was observed and these attackers were identified in each of them.
The number of common IP addresses suggests that only a small number of attackers are recurring in the
honeypots. Figure 21 shows the number of trying count from identified attackers IP during last 6 months.
For a clearer view, the y-axis is shown on a logarithmic scale. More than 90% of the attackers were
identified on less than 7 different days and only a small number of attackers was recognized more often.
We found an average occurrence of the same IP address of 3.2281 days in Dionaea, 2.1823 days in Kippo
and 1.9382 days in V-Gate. For further analyses, we focused on the globally active attackers which were
periodically identified in the honeypots.
800
700
600
500
400
300
200
100
Attack Counts per unique IP
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Dionaea Kippo V-Gate
Figure 21: Attack Counts from Same IP Addresses in the Dioanea, Kippo Honeypots and V-Gate
The top globally active attackers in the honeypots have the same source IP address. Table 4 shows the
identified long-term attackers in the honeypots with more than 60 days. All of them send only SIP
OPTIONS packets with exactly the same User-Agent and the same TO address. Some of the SIP TO

addresses were not defined at the honeypots, but the attacker used exactly the same string periodically.
It seems that the attacker was not interested in the specific response for this TO Address, but rather for
any request from the VoIP server. Most long-term scanners are from the USA, Canada, Germany, and the
France. The Days columns in the table which represent the days count for returning attackers from the
same IP in the honeypot. In both platforms, the attacker with the most days was last identified on 6th of
December 2016 (49 unique attacks).
Table 4: TOP 10 VoIP attacker's IP

Cyber Security R&D - NOVA Technology Development Group
E: info@novacybersecurity.com
T: +90 216 522 20 00
F: +90 216 522 23 62
W: http://novacybersecurity.com
NETAŞ Telekomünikasyon A.Ş.
Yenişehir Mahallesi Osmanlı Bulvarı No:11 34912
Kurtköy - Pendik / İstanbul