One interesting development that we have seen from ThreatSTOP log analysis (see example above from one of our passive monitors) is that there are many attacks on SIP ports. I'm not sure what vulnerability the attackers are trying to exploit but it is clear that there is some vulnerability that the cyber criminals are seeking to penetrate.

For enterprises (including ThreatSTOP) that use VoIP as their primary telecomunications method this is worrying as there is no obvious way to determine whether a SIP initiation is valid or not unless you can form an opinion on the originator. Hence if there is a vulnerability it is almost impossible to block it since blocking means you also stop legitimate incoming phone calls.

The traffic also indicates an attack on Microsoft Port Map (epmap/tcp port 135)and this is likely to be connected. In fact the evidence suggests that today's Microsoft update fixes a port knocking vulnerability where the trigger is to first hit port 135 and then attempt a SIP connection. The vulnerability is probably something to do with Microsoft's various communications suites and the fact that it is being attacked now indicates that this is an attack based on the criminals figuring out a vulnerability on this months "patch Tuesday's" patch list.

For people without ThreatSTOP there is a timing problem. The longer you verify that the various patches don't break things, the longer you remain vulnerable to hackers who have already found a weakness they can exploit.