Ransomware groups targeting Mitel VoIP zero-day

Ransomware groups are targeting a zero-day affecting a Linux-based Mitel VoIP appliance, according to researchers from CrowdStrike. 

The zero-day – tagged as CVE-2022-29499 – was patched in April by Mitel after CrowdStrike researcher Patrick Bennett discovered the issue during a ransomware investigation. 

In a blog post on Thursday, Bennett explained that after taking the Mitel VoIP appliance offline, he discovered a “novel remote code execution exploit used by the threat actor to gain initial access to the environment.”

“After tracing threat actor activity to an IP address assigned to the Mitel MiVoice Connect VoIP appliance, CrowdStrike received a disk image of the Linux system and began analysis. CrowdStrike’s analysis identified anti-forensic techniques that were performed by the threat actor on the Mitel appliance in an attempt to hide their activity,” Bennett said. 

“Although the threat actor deleted all files from the VoIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor.”

In its security advisory, Mitel said the vulnerability affects the Mitel Service Appliance component of MiVoice Connect. The company rated the bug critical and said it could be exploited in MiVoice Connect Service Appliances, SA 100, SA 400 and/or Virtual SA.

A script for remediation was provided to customers, according to Mitel.

Cybersecurity expert Kevin Beaumont urged organizations to patch the vulnerability and noted that a search on Shodan showed several government institutions in the United States and United Kingdom were vulnerable to the bug. 

Bennett explained in his blog that even with timely patching, threat actors exploiting undocumented vulnerabilities is a persistent problem. 

Recorded Future ransomware expert Allan Liska said developing or buying exploits for commonly used external facing systems, such as Microsoft Exchange or Citrix, is expensive. 

“But, there are a lot of other Internet-facing systems that are not nearly as widely deployed and that has been where ransomware groups have focused their efforts,” Liska said. “This is a great example of that.”

Jonathan Greig

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Recent Posts

Facebook testing end-to-end encryption as a default on Messenger

Facebook has long been criticized for not using end-to-end encryption as a default option for…

18 hours ago

CISA orders civilian agencies to patch Zimbra bug after mass exploitation

The Cybersecurity and Infrastructure Security Agency added two vulnerabilities found in products from digital collaboration…

20 hours ago

AT&T denies connection to database of 23 million SSNs, says it may be tied to credit agency breach

Telecommunications giant AT&T denied any connection to a database of stolen information that included the…

21 hours ago

U.S. shares photo of alleged Conti suspect, offers $10 million for intel

The U.S. State Department on Thursday said that it was offering a $10 million reward…

22 hours ago

Suspected Tornado Cash developer arrested in Netherlands

Financial crime authorities in the Netherlands announced Friday that they had arrested a 29-year-old man…

1 day ago

NHS working with U.K. cyber authorities to assess ransomware attack on IT vendor

The United Kingdom’s National Health Service said it is working with the country’s National Cyber…

2 days ago