Massive Scan of the Internet for SIP Servers

Here is a link to a recent presentation for an analysis of a massive scan of the entire IPV4 address range for SIP servers:

So what was the motive of the individual/group doing the scanning? It could be a lot of things, but there is a good chance the scanner was looking for SIP servers to use to freely originate calls into the network for a variety of attacks, including voice SPAM, voice phishing, Telephony Denial of Service (TDoS), and possibly toll fraud (inbound calls that hairpin out to premium numbers). I would be particularly concerned about TDoS - if the attacker has found a large collection of SIP servers used to originate calls, they could easily use them to overwhelm an enterprise and/or contact center.