Threat actors have been seen exploiting a high-impact reflection/amplification approach to perform prolonged distributed denial-of-service (DDoS) attacks lasting up to 14 hours, with an amplification ratio of 4,294,967,296 to 1. The attack vector, called TP240PhoneHome (CVE-2022-26143), has been used to mount large-scale DDoS attacks against ISPs, financial institutions, logistics companies, gaming companies, and other organizations.
“Approximately 2,600 Mitel MiCollab and MiVoice Business Express collaboration systems acting as PBX-to-Internet gateways were incorrectly deployed with an abusable system test facility exposed to the public Internet,” as stated in a joint advisory by Akamai researcher Chad Seaman. “Attackers were actively leveraging these systems to launch reflection/amplification DDoS attacks of more than 53 million packets per second (PPS).”
DDoS reflection attacks usually include faking a victim’s IP address to redirect responses from a target such as a DNS, NTP, or CLDAP server in such a way that the replies delivered to the faked sender are considerably larger than the requests, resulting in the service’s full inaccessibility. The first evidence of attacks was allegedly spotted on February 18, 2022, employing Mitel’s MiCollab and MiVoice Business Express collaboration platforms as DDoS reflectors, courtesy of an unauthenticated test facility being accidentally exposed to the public internet.
Akamai explained that this attack vector varies from conventional UDP reflection/amplification approaches. It may be used to execute a continuous DDoS attack lasting up to 14 hours with a single faked attack initiation packet, resulting in a world-record-breaking packet amplification ratio of 4,294,967,296:1. The cyberattacks specifically target a driver named tp240dvr (“TP-240 driver”), which is designed to listen for commands on UDP port 10074 but isn’t supposed to be exposed to the Internet. He went on to say that it is this exposure to the internet that permits it to be exploited in the end.
An examination of the tp240dvr binary indicates that, owing to its architecture, an attacker may theoretically force the service to respond to a single malicious command with 2,147,483,647 responses. Each response sends out two packets over the wire, resulting in 4,294,967,294 amplified attack packets sent to the attack target. Mitel responded by releasing software upgrades on Tuesday that limit public access to the test function, citing the problem as an access control vulnerability that may be abused to collect sensitive data.