It's a dangerous world

16 mei 2022

 

It's a dangerous world

Since a few days, several 3CX partners worldwide noticed their customers PBX'es being compromised.
This was almost always the result of outdated PBX'es or weak security on user extensions and/or administrator access.
Call fraud often leads to unexpected high charges by your VoIP provider, when it's already too late. Prevention is always better than cure!

It all starts with being up to date!
3CX puts a lot of effort actively finding and fixing security vulnerabilities.
These fixes are rolled out by 3CX updates and hotfixes.
Please update your PBX'es as soon as possible to Version 18 update 3 (build 461).
More information regarding the most recent 3CX hotfix is to be found here.

Be carefull ignoring the flags, weak credentials open doors
3CX shows warning flags in the management console whenever weak credentials are in use.
Those flags have detailed information when being hovered to inform you of what's going on. Please take immediate action when you notice these flags!

What leads to call fraude?
Sloppy outbound rule configuration.
There should not be any kind of "loose" outbound rule. A good practice is to have separate rules for international numbers and national/local numbers.
With the international numbers being restricted the most.

Lax allowed countries list.
The list of allowed country codes under the “Security” page should be strict and adjusted to the needs of each customer.
You should never enable all countries out of ease or think that you will adjust them later on. By default, this is restricted to the country where you installed the 3CX System for the purpose of reducing call fraud.
When dialing an international number, the system will then check if there is a matching outbound rule and if the country code is allowed before letting the call pass through your VoIP Provider.

Don't be that Guy!
3CX recently published a series of articles discussing the latest call fraud and hacking schemes they observed in the channel.
° Don’t be “THAT” Guy Vol.1: Keep Complex Credentials
° Don’t be “THAT” Guy Vol.2: Call Fraud
° Don’t be “THAT” Guy Vol.3: Top 4 PBX Security Tips