Malicious threat groups have exploited a zero-day vulnerability on Mitel MiVoice VoIP appliances operated via Linux Operating System. Researchers said that the threat actors exploited the flaw to acquire initial access to an attempted ransomware campaign.
Based on a published threat advisory, the zero-day flaw is a remote code execution (RCE) vulnerability tracked as CVE-2022-29499. The Mitel Service Appliance component of MiVoice Connect has a flaw that the threat actors took advantage of to gain initial network access.
Fortunately, the ransomware attack was obstructed by the quick reaction of a cybersecurity team. However, the intrusion is possibly just a portion of a more extensive ransomware campaign. The abuse of the vulnerable enables its intruder to remote code execution in the context of Service Appliance.
As of now, there are approximately 20,000 Mitel devices that are publicly accessible on the internet. Most of these Mitel devices are available in the UK and the US.
Malicious entities exploit the Mitel RCE flaw since it lacks sufficient data validation for a diagnostic script. Insufficient validation can allow attackers to add instructions with specially designed requests.
The abuse contains a couple of GET requests. The threat actors will send one of the two requests to a targeted device wherein the device receives a get_url parameter of a file. The file will generate the device’s second request, which can cause a command injection.
The adversaries also utilised the flaw to develop a reverse shell by utilising the FIFO pipes on the targeted Mitel device. It will also send outbound requests from the inside of the compromised network.
The threat actors can also develop a web shell and downloads a reverse proxy tool called Chisel. The kit can reduce the possibility of being identified by security solutions while navigating inside the infected network.
Furthermore, the report revealed the anti-forensic efforts, where the adversaries removed all files in the infected devices via the dd overwrite command.
The affected company published a remediation script for MiVoice Connect version 19.2 and older. Experts recommend that admins should apply the provided mitigation immediately.
