logo

THE 5060 SIEGE - Industrialized Attacks Against the SIP Telephony Ecosystem

ID: a6fd7a1c-c0d8-569e-8159-89600c65f2c8

STIX ID: report--a6fd7a1c-c0d8-569e-8159-89600c65f2c8

Feed Name: CloudSEK Blog

Threat Score
72/100

Date Published: 2026-06-23

Date Updated: 2026-06-23

...
...

Over an 18-day window a SIP honeypot recorded 15.18M events revealing an industrial-scale campaign of SIP registration brute-force (1,869,521 auth attempts yielding 277,632 unique passwords and ~1.5M ext/password pairs) plus 89,465 toll‑fraud call attempts heavily targeting UK revenue-share ranges. The activity was concentrated in datacenter-hosted infrastructure (not consumer endpoints), predominantly from OVH ranges, used curated wordlists and rotated identities while maintaining stable tooling fingerprints; the honeypot rejected all authentication attempts, so the value is intelligence (wordlists, targets, tooling, infrastructure), not an observed breach.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.