Home>Blog>The Hacker News Headlines>Hackers Exploit Mitel VoIP Zero-Day in Likely Ransomware Attack
The Hacker News Headlines

Hackers Exploit Mitel VoIP Zero-Day in Likely Ransomware Attack

Mitel VoIP Zero-Day

A suspected ransomware intrusion against an unnamed target
leveraged a Mitel VoIP appliance as an entry point to achieve
remote code execution and gain initial access to the
environment.

The findings[1]
come from cybersecurity firm CrowdStrike, which traced the source
of the attack to a Linux-based Mitel VoIP device sitting on the
network perimeter, while also identifying a previously unknown
exploit as well as a couple of anti-forensic measures adopted by
the actor on the device to erase traces of their actions.

The exploit in question is tracked as CVE-2022-29499[2]
and was fixed by Mitel in April 2022. It’s rated 9.8 out of 10 for
severity on the CVSS vulnerability scoring system, making it a
critical shortcoming.

“A vulnerability has been identified in the Mitel Service
Appliance component of MiVoice Connect (Mitel Service Appliances –
SA 100, SA 400, and Virtual SA) which could allow a malicious actor
to perform remote code execution (CVE-2022-29499) within the
context of the Service Appliance,” the company noted[3]
in an advisory.

The exploit entailed two HTTP GET requests[4]
— which are used to retrieve a specific resource from a server — to
trigger remote code execution by fetching rogue commands from the
attacker-controlled infrastructure.

In the incident investigated by CrowdStrike, the attacker is
said to have used the exploit to create a reverse shell, utilizing
it to launch a web shell (“pdf_import.php”) on the VoIP appliance
and download the open source Chisel[5] proxy tool.

The binary was then executed, but only after renaming it to
memdump[6]” in an attempt to fly
under the radar and use the utility as a “reverse proxy to allow
the threat actor to pivot further into the environment via the VOIP
device.” But subsequent detection of the activity halted their
progress and prevented them from moving laterally across the
network.

CyberSecurity

The disclosure arrives less than two weeks after German
penetration testing firm SySS revealed[7]
two flaws in Mitel 6800/6900 desk phones (CVE-2022-29854 and
CVE-2022-29855) that, if successfully exploited, could allow an
attacker to gain root privileges on the devices.

“Timely patching is critical to protect perimeter devices.
However, when threat actors exploit an undocumented vulnerability,
timely patching becomes irrelevant,” CrowdStrike researcher Patrick
Bennett said.

“Critical assets should be isolated from perimeter devices to
the extent possible. Ideally, if a threat actor compromises a
perimeter device, it should not be possible to access critical
assets via ‘one hop’ from the compromised device.”

References

  1. ^
    findings
    (www.crowdstrike.com)
  2. ^
    CVE-2022-29499
    (nvd.nist.gov)
  3. ^
    noted
    (www.mitel.com)
  4. ^
    HTTP GET
    requests     (developer.mozilla.org)
  5. ^
    Chisel
    (github.com)
  6. ^
    memdump
    (www.kali.org)
  7. ^
    revealed
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.