Telephony Denial of Service attacks against 911 call centers.

Please reference the below resources for further explanation of Telephony Denial of Service (TDoS) attacks. In short, they are an automated or coordinated manual attack against 911 infrastructure designed to flood call centers’ voice lines, rendering them unable to respond to or make legitimate calls.

What can we do?

The Center for Internet Security (CIS) recommends the following:

                Preparation

• Partnership with Telecom carriers to understand their blocking and filtering capabilities.
• Remind employees to practice good security procedures and not disclose personal or organizational information to the callers.
• Develop a plan to record malicious calls.
• Ensure a secondary means of communication like Text to 9-1-1.

                During attacks

• Limit the number of phones the attacked number rings on.
• Segment and diversify voice infrastructure to different PRI, SIP trunks, VoIP routers or PBX.
• Note if the call appears to originate from a legitimate source. Sometimes victims of attacks can have their calls routed to other victims to create a “party line” attack. Report this to other victims and be prepared to combine resources to track attacks.
  
  
  
  

RESOURCES

The FBI recently released an article with similar info: https://www.ic3.gov/Media/Y2021/PSA210217.

A co-worker of ours, a fellow City employee, found their mobile phone no longer had phone service. When contacted, the mobile phone provider found the number was moved to another phone!

How does that happen?!?

What is a SIM?

A SIM (subscriber identity module) is a little computer chip inside your phone that is unique to you and tells the network where your calls should route. The phone company provides the SIM, and programs their network to identify your phone number with your SIM. 

What Happened?

An attacker targeted our co-worker with the intention of taking over the phone number. With the phone number, the attacker can access any computer account that uses the phone as a method of authentication and verification! Additionally, our personal email is often associated with text message backup access, so taking over email follows quickly in these attacks!

The intent in this attack was to steal money from online accounts (bank accounts, digital wallets, etc). Your phone could be an avenue into the City network as well, since we use our phones in MFA (multi-factor authentication) to get into our email and City resources.

This can happen to you!

How can I protect my mobile phone and accounts?

For any City-owned mobile phones, contact BTS immediately by calling 503-823-5199.

To protect your personal phone and accounts, stay aware and cautious. 

The Federal Trade Commission has advice to protect from SIM swap attacks: https://www.consumer.ftc.gov/blog/2019/10/sim-swap-scams-how-protect-yourself 

Also, talk to your mobile phone provider. They will have specific settings and configurations you can activate to protect you and your family.

If you have questions or want to discuss this further, please open a Cherwell ticket via the BTS Help Portal and it will be routed to the Information Security Team. 

In this ZDNet article, the author describes various major malware families that are catastrophic to organizations. If these malware strains are found on our network, we need to clean quickly and scan the rest of the network for additional infections:

https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/

On November 10th, 2020, Microsoft wrote an article outlining the dangers of using Phone-based Multi-Factor Authentication (MFA). They include both phone calls and SMS messages as dangerous due to the lack of security in the global phone system.

This is the latest in a series of changes recommending and now urging organizations like the City to move away from phone calls and text messages. The recommendation is to move to no-cost authentication applications like Microsoft Authenticator and Google Authenticator.

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752

New Outlook Phishing Alert Button (PAB)

We are releasing a Phishing Alert Button (PAB) to both Outlook and the Office 365 web client. This feature will make it easier to report suspicious emails to BTS for review and take necessary action. Clicking on this button will report the suspicious email to BTS and delete the email from your mailbox. No further action is required from the user, like forwarding the email or opening a helpdesk ticket to report the suspicious email.

The below pictures show this feature option in different email clients.

Key Takeaways:

• New button added to the Outlook      and browser clients
• Clicking on the button will      report the e-mail to Helpdesk and Information Security
• Clicking on the button will      delete the email
• Clicking on the button for a suspicious e-mail, will not generate a helpdesk ticket
• E-mails reported in a pop-out      window will need to be closed manually

The button does not replace the reporting requirement if you click the link or open the suspicious email's attachment 

• Please reference QA Knowledge Article KCS6539
• Please reference Knowledge Article KCS6613
• Please      reference Escalation Article KCS6607