Headline
Mitel VoIP Bug Exploited in Ransomware Attacks
Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.
Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.
Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Internet Protocol) application and using it as a springboard plant malware on targeted systems. The critical remote code execution (RCE) flaw, tracked as CVE-2022-29499, was first report by Crowdstrike in April as a zero-day vulnerability and is now patched.
Mitel is popularly known for providing business phone systems and unified communication as a service (UCaaS) to all forms of organizations. The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.
According to Crowdstrike, the vulnerability affects the Mitel MiVoice appliances SA 100, SA 400 and Virtual SA. The MiVoice provides a simple interface to bring all communications and tools together.
****Bug Exploited to Plant Ransomware** **
Researcher at Crowdstrike recently investigated a suspected ransomware attack. The team of researchers handled the intrusion quickly, but believe the involvement of the vulnerability (CVE-2022-29499) in the ransomware strike.
The Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance. Further analysis led to the discovery of a novel remote code exploit.
“The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,” Patrick Bennet wrote in a blog post.
The exploit involves two GET requests. The first one targets a “get_url” parameter of a PHP file and the second one originates from the device itself.
“This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses,” the researcher explained.
The second request executes the command injection by performing an HTTP GET request to the attacker-controlled infrastructure and runs the stored command on the attacker’s server.
According to the researchers, the adversary uses the flaw to create an SSL-enabled reverse shell via the “mkfifo” command and “openssl_client” to send outbound requests from the compromised network. The “mkfifo” command is used to create a special file specified by the file parameter and can be opened by multiple processes for reading or writing purposes.
Once the reverse shell was established, the attacker created a web shell named “pdf_import.php”. The original content of the web shell was not recovered but the researchers identifies a log file that includes a POST request to the same IP address that the exploit originated from. The adversary also downloaded a tunneling tool called “Chisel” onto VoIP appliances to pivot further into the network without getting detected.
The Crowdstrike also identifies anti-forensic techniques performed by the threat actors to conceal the activity.
“Although the threat actor deleted all files from the VoIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor,” said Bennett.
Mitel released a security advisory on April 19, 2022, for MiVoice Connect versions 19.2 SP3 and earlier. While no official patch has been released yet.
****Vulnerable Mitel Devices on Shodan****
The security researcher Kevin Beaumont shared a string “http.html_hash:-1971546278” to search for vulnerable Mitel devices on the Shodan search engine in a Twitter thread.
According to Kevin, there are approximately 21,000 publicly accessible Mitel appliances worldwide, the majority of which are located in the United States, succeeded by the United Kingdom.
****Mitel Mitigation Recommendations** **
Crowdstrike recommends that organizations tighten defense mechanisms by performing threat modeling and identifying malicious activity. The researcher also advised segregating the critical assets and perimeter devices to restrict the access control in case perimeter devices are compromised.
“Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,” Bennett explained.
Related news
A single barrier prevented attackers from exploiting a critical vulnerability in an enterprise collaboration platform. Now there's a workaround.
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
Categories: News Categories: Ransomware Tags: Lorenz Tags: ransomware Tags: CVE-2022-29499 Tags: Mitel Tags: backdoor Tags: web shell A recent case-study showed once again that timely patching is important, but it's not a silver bullet for stopping ransomware. (Read more...) The post Timely patching is good, but sometimes it's not enough appeared first on Malwarebytes Labs.
The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. "Initial malicious activity originated from a Mitel appliance sitting on the network perimeter," researchers from cybersecurity firm Arctic Wolf said in a report
By Deeba Ahmed According to researchers, the Lorenz ransomware variant targeted an unnamed organization by exploiting MiVoice Connect’s Mitel Service Appliance component. This is a post from HackRead.com Read the original post: Lorenz Ransomware Intrusion: How a VoIP Vulnerability Was Leveraged for Initial Access
The ransomware gang has been seen exploiting a Mitel RCE flaw discovered in VoIP devices in April (and patched in July) to perform double-extortion attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an
A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment. The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.