1.8 Million Credential Attacks Target Business Phone Systems as CloudSEK Records 15 Million SIP Events

Researchers uncover 1.86 million credential attempts and nearly 90,000 suspected toll-fraud calls in just 18 days

Internet-facing business telephone systems are being targeted through sustained and automated attacks designed to steal credentials and generate fraudulent international calls, CloudSEK researchers have found.

During an 18-day observation period, a controlled Session Initiation Protocol, or SIP, honeypot recorded more than 15.18 million telemetry events, representing approximately 3.79 million SIP requests from 323 source IP addresses.

The campaign included 1,869,521 authentication attempts against 29,433 telephone extensions and 89,465 attempted calls, indicating a coordinated attack pipeline moving from reconnaissance and password spraying to suspected financial fraud.

CloudSEK researchers recovered a live attacker dictionary containing 277,632 unique passwords and 1.49 million extension-password combinations. The plaintext password used could be determined in 96.09% of all credential attempts. (For More Information, Read Full Report)

The findings show that attackers were not relying only on weak passwords. The dictionary also contained medium- and high-complexity credentials, suggesting the use of device defaults, previously exposed passwords and attacker-curated wordlists.

UK Numbers Dominated Suspected Toll-Fraud Activity

Of the 89,465 attempted calls, 47,273 targeted United Kingdom numbers, primarily across a limited set of rural and Northern Ireland ranges.

The activity was consistent with International Revenue Share Fraud, in which criminals attempt to use compromised or misconfigured business phone systems to call revenue-generating numbers, leaving the victim organisation responsible for the charges.

Attackers repeatedly dialled the same destinations using different international and outbound prefixes to identify a format permitted by the PBX. One UK number was attempted using more than 80 prefix variations.

Credential Replays Point to a Wider Operation

Researchers also identified 45,580 authentication attempts containing credentials or authentication realms harvested from other systems.

These included references to Asterisk, Intelbras, Grandstream and STARFACE systems, as well as external and private IP addresses associated with other PBX environments.

The findings indicate that some attackers may be maintaining a broader collection of scanned or compromised phone systems and reusing harvested authentication material across multiple targets.

Attacks Originated Primarily from Hosting Infrastructure

CloudSEK found that 99.8% of source-attributed traffic originated from datacenter or hosting ranges, while 93.5% of attacker IP addresses were already listed by third-party intelligence services as known sources of abuse. (For More Information, Read Full Report)

The campaign operated continuously throughout the day, indicating unattended automation. Attackers also spoofed legitimate device identities, including FreePBX, Cisco, Polycom and Avaya, to make malicious traffic appear genuine.

“The activity shows that attacks against business telephone systems have evolved into an automated operation that moves from discovery and credential attacks to attempted financial exploitation,” said Vikas Kundu, Threat Intelligence Researcher, CloudSEK.

“Organisations should restrict public access to SIP services, replace default and reused credentials, monitor repeated authentication failures and limit international or premium-rate calling unless operationally required,” Vikas Kundu added.

The study was conducted using a controlled honeypot that recorded attack activity but did not accept credentials or complete any calls.