New ransomware targets Mitel VoIP appliances in order to perform remote code execution after gaining initial access. Mitel is a global marketing organization in business communication that provides unified communication, collaboration, and customer experience technology.
The cybersecurity firm CrowdStrike has released the recent finding of ransomware targeting the organization from a Linux-based Mitel VoIP device. The firm has further claimed that there is also the presence of threat actors who is working to hide the activity traces.
According to a source, CVE-2022-29499 is the tracking number that has been used to induce infiltration. The attack has been rated 9.8 out of 10 on the basis of its severity.
A spokesperson from Mitel said, “A vulnerability has been identified in the Mitel Service Appliances component of MiVoice Connect (Mitel Service Appliances- SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliances.”
According to CrowdStrike, the threat actor created a reverse shell with the help of the malware in order to perform a series of code executions to control the original interface. Shell is an interactive user interface that works like a layer of programming to understand and execute the commands of the user. If a threat actor establishes a reverse shell by exploitation then the threat actor can take advantage of the vulnerabilities of the system. They can dictate the device to perform tasks by initiating shell sessions and gaining access.
Once the threat actor performed a reverse shell, it can launch a web shell on the VoIP appliances to download the Chisel proxy tool which is a fast TCP/UDP tunnel transported over HTTP secured by a server. The threat actor then pivoted the Chisel proxy tool in order to enter the device.
According to German penetration testing firm SySS, Mitel showed two distinct flaws and if any of them can be exploited the threat actor can gain access to the devices.
A prominent CrowdStrike researcher further said, “Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant.”
