On August 11th2018, the 911 non-emergency call center in Howard County, Maryland was in crisis; not for the types of calls flooding into dispatchers, but simply for the sheer numbers. The center, which usually receives 300 to 400 calls a day was now getting 2500 in a 24-hour span of time. The center, which takes calls for everything from home security alarms going off to cats getting stuck in trees was overwhelmed. What was going on?
James Cox, a network-server team manager for the Howard County government was tasked with answering that question. It turns out, a lone foreign actor created this crisis. “The phone system doesn’t care who you are,” Cox explained. “You hit that 10-digit number and the phone rings. There’s no check and there’s no balance.”
See also: The endless scourge of malicious email
The bad actor had one goal in mind; money. Wreaking havoc on the county added up to about two to three thousand dollars for the adversary, and once they stopped making money, the calls stopped. “Thanks to our partnership with Cisco Talos and some of the intel it was able to find, it turned out that this actor was being paid by a third party to tie up the phone lines by having long conversations,” Cox said.
The hacker launched what’s called a telephony denial service attack (TDoS).
Here’s how it works. He or she buys up phone numbers through a third party and uses a server based in Europe and made it look like a local number. That makes it an international call, which carriers have to pay for, allowing the 3rdparty to profit. For its part, the hacker makes pennies for the minutes it ties up a phone line.
Matt Olney, Cisco Talos Manager of Threat Detection and Interdiction says this is not a new trend, but it’s one they take seriously. In this case, Talos quickly deployed threat researchers, which was easy because there’s a Talos office located in Howard County.
“Between our experts’ ability to track the actor’s activities and the work Howard County had already done, we were able to confidently determine that Howard County was not targeted in an effort to disrupt their operations,” Olney said. “This was an economically motivated attack.”
Howard County worked with Cisco partner SecureLogic to implement a firewall for the phone system. That firewall uses intelligence that allows it to automatically detect and block calls based on blacklists, whitelists and its own machine learning. For example, if the same number is calling twenty times, the firewall will blacklist that number right away.
While he wishes this attack never happened, Cox believes the county is now better positioned to prevent something like this from ever happening again. “We’re grateful to both Cisco Talos and SecureLogic for finding solutions that are easily integrated into our platform.”
Cox talked about the lessons he learned from this during the second annual Talos Threat Research Summit, a sold-out one-day conference for security professionals who are also attending Cisco Live.