An unidentified target was the subject of a suspected ransomware intrusion attempt that used a Mitel VoIP equipment as an entry point to perform remote code execution and acquire initial access to the environment.
The information comes from the cybersecurity company CrowdStrike, which was able to pinpoint the attack’s origin to a Linux-based Mitel VoIP device that was located on the network’s perimeter. It also discovered a previously unknown exploit and a few anti-forensic techniques used by the attacker on the device to hide their tracks.
The aforementioned CVE-2022-29499 zero-day attack was patched by Mitel in April 2022 via a remediation script that it sent to clients. On the CVSS vulnerability ranking methodology, its severity is scored 9.8 out of 10, making it a critical shortcoming.
The information was made public less than two weeks after the German penetration testing company SySS identified two vulnerabilities in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could have given an attacker root privileges on the affected devices.
“To safeguard perimeter devices, timely patching is essential. However, timely patching becomes pointless when threat actors exploit an unknown vulnerability “Patrick Bennett, a CrowdStrike researcher, warned.
“To the greatest degree practicable, critical assets should be segregated from perimeter security measures. In a perfect world, if a threat actor compromises a perimeter device, access to crucial assets shouldn’t be feasible in only one step from the compromised device.”
Kevin Beaumont: The bulk of the over 21,500 publicly accessible Mitel machines online are situated in the United States, followed by the United Kingdom, Canada, France, and Australia.
Sources:
https://www.kali.org/tools/memdump/
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0002