Mitel zero-day used by hackers in suspected ransomware attack

Hackers used a zero-day exploit on Linux-based Mitel MiVoice VOIP appliances for initial access in what is believed to be the beginning of a ransomware attack.

Mitel VOIP devices are used by critical organizations in various sectors for telephony services and were recently exploited by threat actors for high-volume DDoS amplification attacks.

In a new report by CrowdStrike, the company says that a zero-day remote code execution flaw, now tracked as CVE-2022-29499 (CVSS v3 score: 9.8 – critical), was used to gain initial access to the network.

Although the attack was stopped, CrowdStrike believes the zero-day was used as part of a ransomware attack.

A Mitel zero-day RCE vulnerability

The vulnerability lies in the Mitel Service Appliance component of MiVoice Connect, used in SA 100, SA 400, and Virtual SA, allowing an attacker to perform remote code execution (RCE) in the context of the Service Appliance.

The problem is caused by insufficient data validation for a diagnostic script, allowing remote unauthenticated attackers to inject commands using specially crafted requests.

The exploit involves two GET requests, one sent to the device targeting a “get_url” parameter of a PHP file and the second generated on the device itself, causing a command injection that performs HTTP GET requests to the attacker’s infrastructure.

The threat actors used the vulnerability to create a reverse shell by leveraging FIFO pipes on the targeted Mitel device, sending outbound requests from within the compromised network.

With the reverse shell established, the intruder created a web shell (pdf_import.php) and downloaded a reverse proxy tool called “Chisel,” to reduce the chances of detection while moving laterally in the network.

Crowdstrike also mentions anti-forensic efforts from the threat actor, who attempted to delete all files in the compromised devices using the "dd" overwrite command. However, the analysts could retrieve evidence from the /tmp partition and recover HTTP access logs.

While no official patch has been released, Mitel addressed it on April 19, 2022, by releasing a remediation script for MiVoice Connect versions 19.2 SP3 and earlier and R14.x and earlier.

According to security researcher Kevin Beaumont, there are over 21,000 publicly accessible Mitel devices online, with the majority located in the United States, followed by the United Kingdom.

As at least one ransomware operation is believed to be exploiting this vulnerability, with more soon likely to follow, it is strongly encouraged that admins apply the mitigations as soon as possible.

For more information on the provided solution, Mitel urges partners and enterprise customers to follow this link to the firm's support portal, while additional details can be found in the relevant security bulletin.

BleepingComputer has contacted CrowdStrike asking why they believe it was a ransomware attack and will update this article with their response.