A ransomware attack against an unnamed target used Mitel VoIP equipment as an entry point to execute the code remotely and access the environment.
Crowdstrike, a cybersecurity firm, reported the findings, which tracked the source of the attack to a Linux-based Mitel VoIP device placed on the network perimeter. The firm also traced a previously unknown exploit as well as a couple of anti-forensic methods used by the actor on the device to delete evidence of the attacks.
The flaw, tracked CVE-2022-29499, was patched by Mitel in April 2022. It scores 9.8 out of 10 for severity on the CVSS vulnerability scoring system; the score categorises the flaw as critical.
“A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance,” the company noted in an advisory.
The flaw has two HTTP Get requests; these requests are used to obtain a specific resource from a server to initiate remote code execution by getting rogue commands from the attacker-controlled infrastructure.
CrowdStrike probed the incident and concluded that the attacker may have used the flaw to create a reverse shell, using it to set up a web shell (“pdf_import.php”) on the VoIP appliance and download the open-source Chisel proxy tool.
The binary was then effected but only when after its name was changed to “memdump” to avoid detection and use it as a “reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device.”
The disclosure arrives less than two weeks after German penetration testing firm SySS revealed two flaws in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could allow an attacker to gain root privileges on the devices.
“Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,” CrowdStrike researcher Patrick Bennett said.
“Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via ‘one hop’ from the compromised device.”
Reference
https://thehackernews.com/2022/06/hackers-exploit-mitel-voip-zero-day-bug.html
