cloud pbx , Modern Workplace , skype for business , Tech Expert , Video Conferencing , | 2020/09/28 at 3:12pm

Has your PBX (or Skype for Business Conference) been hacked?

by Jason Jacobs

 

Working for a Modern Workplace & Managed Service Provider (MSP) like Insync Technology can bring some curious and interesting issues my way. 

Issue description:

This week one of our customers reported some strange behaviour on their telco bill. Within the span of 48 hours, 1000+ outgoing calls were made to various international numbers…all from a single phone number. What made things worse, the supposed user making these outgoing calls was high up on the corporate ladder! Let’s call him Executive “JDoe”. Luckily, the telco was able to block any further international calls coming from JDoe’s number to avoid further charges. It was at this point where the issue came our way. Now it was up to us to figure out what had happened.

Investigation:

The customer runs a Skype for Business Server 2015 on-premises deployment, and all telephony services interface with Skype for Business via a Ribbon SBC 1000 voice gateway. The first place to start was the trusty “Skype for Business Monitoring Reports”.

Only a single audio call was made to “JDoe” during this 11 hour period. Well this cannot be it.

Let us keep looking…

BINGO! According to the list of conferences for this user, we see that “JDoe” hosted a Skype conference which started at 1:25:53am on 19 August 2020. Within minutes, multiple PSTN callers were added to the conference. PSTN callers are added continuously for another 90 minutes at which point the conference ends. Another conference starts and the whole process repeats. Note how most of the conferences use the same conference ID.

The key was realizing that despite “JDoe” hosting the conference, this user never actually joined any of these conferences from their Skype account. The time stamps also give it away; “JDoe” was fast asleep at 1:25:53am.

A Skype for Business conference can only be generated in one of two ways:

  1. From Microsoft Outlook calendar using the “New Skype Meeting” button. This will generate a conference ID on the Skype for Business server and allow people to join the meeting immediately (even if the conference is scheduled for the future). It simply creates the virtual meeting space and allows you to send the meeting join URL to any email address:
  1. From the Skype for Business client using the “Meet now” button. This will also generate a conference ID, but it will also join you into the Skype meeting automatically using your Skype for Business PC client.

All of this could mean one of two things:

  • Someone got hold of the Active Directory username/password for “JDoe”, logged in as them, and started creating Skype conferences from their account using Microsoft Outlook Calendar. (we know that “Meet Now” was not used because we don’t see “JDoe” in the meeting.
  • Someone got hold of a legitimate conference ID, or Join URL, and was able to enter the conference unencumbered.

Our security team ruled out the first option by checking sign in logs against Active directory. All authorisations for “JDoe” were legitimate. This leaves us with only one option: The “hacker”, in this case dyonnes@dyonnimlanches.onmicrosoft.com, got hold of a Meeting URL and happily joined themselves into the meeting and started calling PSTN numbers. Turns out the first time that Conference ID was used was for a legitimate meeting at 18/08/2020 11:30am

Why did this happen?

Now that we know WHAT happened, we need to figure out WHY, and how to prevent it in the future.

Skype for Business Server 2015 has several settings in the Conferencing Policy that configure who and what can be done from a conference.

Looking at the first few settings we see the following:

There are 4 types of users that can join a conference:

  1. A Skype user from the same organization
  2. A Skype user from another organization/domain (federated user)
  3. Anyone with access to the Meeting URL. This will join them via a web browser as a (guest) This is also known as an anonymous user.
  4. PSTN dialin user

In this case, dyonnes@dyonnimlanches.onmicrosoft.com is seen as a federated user. But here is the catch, all federated users that join a conference are also seen as “non EV” users. This means if you have this setting ticked:

 

It will allow any federated user to make outbound PSTN calls.

Of course, this issue led me to multiple internet searches, and I must give credit to “Flinchbot” for this article, which confirmed my suspicion:

https://flinchbot.com/ucnow/index.php/2016/11/28/conference-participants-and-dial-out/

In summary, here is what happened:

  1. JDoe creates a new Skype meeting from his Outlook client for 18/08 at 11:30am
  2. Somehow, dyonnes@dyonnimlanches.onmicrosoft.com gets hold of the meeting URL and can join the meeting from their own Skype for Business PC client. (Scheduled meetings can be joined for 14+ days after the schedule date). If you have the join URL, you can join.
  3. dyonnes@dyonnimlanches.onmicrosoft.com is seen as a non-EV federated user and can make outbound PSTN calls from the meeting.

As for how they got hold of the meet URL, this could happen any number of ways. The meeting invite could have been sent to an already compromised external party which is out of our control.

Solution:

Disable PSTN dial out for federated users:

 

 

Only Skype users from within your organization will now be able to PSTN dial out from a conference.

Alternative prevention:

Another preventative measure, albeit controlled by the users themselves, is to modify the Skype For Business meeting options from Outlook. This way you can prevent “Anyone” from bypassing the lobby even if they get their hands on the meeting join URL.