Researchers now warn that threat players are using a new remote code execution exploit in order to gain initial access to victim’s systems.
Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Internet Protocol) application & using it as a ‘springboard plant malware’ on targeted systems.
The critical remote code execution (RCE) issue, tracked as CVE-2022-29499, was 1st reported by Crowdstrike in April as a zero-day vulnerability & is now patched.
Business Phone Systems
Mitel is well known for providing business phone systems & unified communication as a service (UCaaS) to all forms of organisations. The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.
According to Crowdstrike, the vulnerability affects the Mitel MiVoice appliances SA 100, SA 400 & Virtual SA. The MiVoice provides a simple interface to bring all communications & tools together.
Exploited
Researchers at Crowdstrike recently investigated a suspected ransomware attack. The team of researchers managed the issue quickly but think there’s involvement of the vulnerability (CVE-2022-29499) in the ransomware strike.
The Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance. Further analysis led to the discovery of a new remote code exploit.
Further Analysis
“The device was taken offline & imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,” Patrick Bennet wrote in a blog post.
The exploit involves 2 GET requests. The 1st 1 targets a “get_url” parameter of a PHP file & the 2nd one originates from the device itself.
“This 1st request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses,” the researcher explained.
HTTP GET
The 2nd request executes the command injection by performing an HTTP GET request to the attacker-controlled infrastructure & runs the stored command on the attacker’s server.
According to the researchers, the enemy uses the flaw to create an SSL-enabled reverse shell via the “mkfifo” command & “openssl_client” to send outbound requests from the compromised network.
The “mkfifo” command is used to create a special file specified by the file parameter & can be opened by multiple processes for reading or writing purposes.
Reverse Shell
Once the reverse shell was established, the attacker created a web shell named “pdf_import.php.” The original content of the web shell was not recovered but the researchers identifies a log file that includes a POST request to the same IP address that the exploit originated from.
The adversary also downloaded a tunnelling tool called “Chisel” onto VoIP appliances to pivot further into the network without getting detected.
The Crowdstrike also identifies anti-forensic techniques performed by the threat players to conceal the activity.
Deleted all Files
“Although the threat actor deleted all files from the VoIP device’s filesystem, CrowdStrike was able to recover forensic data from the device.
This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, & even evidence of specific anti-forensic measures taken by the threat actor,” explained Bennett.
Mitel released a security advisory on April 19, 2022, for MiVoice Connect versions 19.2 SP3 & earlier. No official patch has been released yet.
Vulnerable Mitel Devices on Shodan
The security researcher Kevin Beaumont shared a string “http.html_hash:-1971546278” to search for vulnerable Mitel devices on the Shodan search engine in a Twitter thread.
According to Kevin, there are approximately 21,000 publicly accessible Mitel appliances worldwide, the majority of which are located in the US, followed by the UK.
Mitigation Recommendations
Crowdstrike recommends that organisations tighten defence mechanisms by performing threat-modelling & identifying malicious activity. The researcher also advised segregating the critical assets & perimeter devices to restrict the access control in case perimeter devices are compromised.
“Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,” Bennett concluded.
