A Mitel VoIP equipment was used as an entry point for a suspected ransomware breach against an undisclosed target in order to establish remote code execution and obtain initial access to the environment.
The findings were discovered by cybersecurity company CrowdStrike, which also found a previously unknown exploit and a few anti-forensic measures used by the actor on the device to hide their tracks. The attack originated from a Linux-based Mitel VoIP device located on the network perimeter. The relevant vulnerability, designated CVE-2022-29499, was patched by Mitel in April 2022. According to the CVSS vulnerability ranking methodology, it receives a severity rating of 9.8 out of 10, making it a major flaw.
“A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance,” the company noted in an alert.
The exploit used two HTTP GET requests, which are used to get a specified resource from a server, to execute remote code execution by retrieving malicious commands from the attacker-controlled infrastructure. The attacker in the event that CrowdStrike is looking into is said to have created a reverse shell using the vulnerability to start a web shell (“pdf_import.php”) on the VoIP device and download the open-source Chisel proxy tool.
After changing the binary’s name to “memdump,” which was done to avoid detection, the malware was then run, enabling the threat actor to further penetrate the environment via a VOIP device. However, once the activity was discovered, they could not continue or move laterally across the network. The information was made public less than two weeks after German penetration testing company SySS identified two security holes in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if properly exploited, might provide attacker root privileges on the affected devices.
According to CrowdStrike researcher Patrick Bennett, timely patching is essential to secure perimeter devices. However, timely patching becomes pointless when threat actors use an unknown vulnerability. Critical assets should be broadly segregated from perimeter security measures to the greatest degree. If a threat actor attacks a perimeter device, access to crucial assets shouldn’t be feasible in only one step from the compromised device.