CrowdStrike researchers recently investigated the compromise of a Mitel VOIP appliance as an entry point in a ransomware attack against the network of an organization.
Mitel VOIP devices are used by critical organizations in various sectors for telephony services and were recently exploited by threat actors for high-volume DDoS amplification attacks.
The Mitel Service Appliance component of MiVoice Connect contains this vulnerability, and this component is used in the following devices:-
- SA 100
- SA 400
- Virtual SA
According to new findings by CrowdStrike, a zero-day remote code execution flaw CVE-2022-29499 (with a severity score: 9.8 – critical), was used to gain initial access.
Although the attack was stopped, CrowdStrike believes the zero-day was used as part of a ransomware attack.
The experts determined that the malicious activity had originated from an internal IP address associated with a Linux-based Mitel VOIP appliance. It was found that they did not have the CrowdStrike Falcon sensor installed on it.
The forensic investigation revealed that the attackers attempted to remove the files and overwrite free space on the device.
The exploit involves two GET requests, which are used to retrieve a specific resource from a server — to trigger remote code execution. However, that there is currently no official patch available.
Finally the administrators themselves should implement the mitigations as soon as possible so that they can be as effective as possible..