CrowdStrike researchers recently investigated the compromise of a Mitel VOIP appliance as an entry point in a ransomware attack against the network of an organization.
The attackers exploited a remote code execution zero-day vulnerability on the Mitel appliance to gain initial access to the target environment. The zero-day was coded as CVE-2022-29499 and received a CVSS score of 9.8.
“A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance.” reads the advisory for this flaw published by the vendor.
The experts determined that the malicious activity had originated from an internal IP address associated with a Linux-based Mitel VOIP appliance sitting on the network perimeter that did not have the CrowdStrike Falcon sensor installed on it.
The forensic investigation revealed that the attackers attempted to remove the files and overwrite free space on the device.
The attack chain involved two HTTP GET requests used to retrieve a specific resource from a remote server and execute the malicious code.
“The exploit involved two GET requests. The first request targeted a get_url parameter of a php file, populating the parameter with a URL to a local file on the device. This caused the second request to originate from the device itself, which led to exploitation.” reads the analysis published by Crowdstrike experts. “This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses.”
The responses to the requests demonstrated that the threat actors used the exploit to create a reverse shell.
Once created the reverse shell, the attacker set up a web shell named pdf_import.php.
The threat actor also downloaded the Chisel tunneling/proxy tool onto the VOIP appliance, then renamed it memdump before executing it. The attackers used the tool as a reverse proxy to allow the threat actor to make lateral movements within the environment via the VOIP device.
“when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant.” concludes the report. “Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via “one hop” from the compromised device. In particular, it’s critical to isolate and limit access to virtualization hosts or management servers such as ESXi and vCenter systems as much as possible. This can involve jump-boxes, network segmentation and/or multifactor authentication (MFA) requirements. “
The popular security researcher Kevin Beaumont reported there are nearly tens of thousand devices publicly accessible, most of them in the U.S., followed by the U.K., Canada, and France.
(SecurityAffairs – hacking, Mitel VOIP)