Cybercriminals have used a zero-day exploit on Linux-based Mitel MiVoice VoIP appliances. According to researchers, the exploit was used for gaining initial access to an attempted ransomware attack.

The zero-day abuse

A report from CrowdStrike disclosed that a zero-day RCE flaw (CVE-2022-29499) is present in the Mitel Service Appliance component of MiVoice Connect that was abused to obtain initial access to the network.  
  • Although the attack was stopped, the intrusion is suspected to be a part of a ransomware attack.
  • The flaw
  • The exploitation of the flaw allows remote code execution in the context of Service Appliance.

At present, there are over 21,000 Mitel devices publicly accessible online, mostly in the U.S. and the U.K.

More info

The flaw occurs due to insufficient data validation for a diagnostic script, which allows remote and unauthorized attackers to add commands with specially crafted requests.
  • The exploit includes two GET requests, one sent to the device targeting a get_url parameter of a PHP file and the second generated on the device itself, causing a command injection.
  • The attackers used the flaw to create a reverse shell by using the FIFO pipes on the targeted Mitel device and sending outbound requests from within the infected network.
  • With the reverse shell, the attackers created a web shell and downloaded a reverse proxy tool named Chisel to reduce the chances of being spotted while moving laterally inside the network.

Anti-forensic efforts

The reports mention anti-forensic efforts, where the attackers deleted all files in the infected devices by using the dd overwrite command. However, experts recovered the HTTP access logs.

Preventive steps

Mitel has posted a remediation script for MiVoice Connect versions 19.2 SP3 and before and R14.x and before. Further, experts suggest admins apply the mitigations quickly. The admin can follow the support portal with more details available in the security bulletin.
Cyware Publisher