CrowdStrike researchers have identified ransomware groups targeting a zero-day flaw impacting the Linux-based Mitel VoIP appliance.
The vulnerability tracked as CVE-2022-29499 was patched earlier this year in April by Mitel after CrowdStrike researcher Patrick Bennett unearthed the bug during a ransomware investigation.
In a blog post published last week, Bennett explained that after taking the Mitel VoIP appliance offline, he unearthed a “novel remote code execution exploit used by the threat actor to gain initial access to the environment.”
“After tracing threat actor activity to an IP address assigned to the Mitel MiVoice Connect VoIP appliance, CrowdStrike received a disk image of the Linux system and began analysis. CrowdStrike’s analysis identified anti-forensic techniques that were performed by the threat actor on the Mitel appliance in an attempt to hide their activity,” Bennett said.
Although the hacker erased all files from the VoIP device’s filesystem, Bennett was able to retrieve forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the attacker.
The zero-day bug impacts the Mitel Service Appliance component of MiVoice Connect. The company rated the bug critical and said it could be abused in MiVoice Connect Service Appliances, SA 100, SA 400, and/or Virtual SA, Mitel explained in its security advisory.
"A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance," the company stated.
The exploit entailed two HTTP GET requests — which are used to retrieve a specific resource from a server — to trigger remote code execution by fetching rogue commands from the attacker-controlled infrastructure.
The hacker leveraged the exploit to design a reverse shell, utilizing it to launch a web shell ("pdf_import.php") on the VoIP appliance and download the open-source Chisel proxy tool.
Subsequently, the binary was implemented, but only after renaming it to "memdump" in an attempt to fly under the radar and use the utility as a "reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device."
But detection of the activity halted their operation and restricted them from moving laterally across the network.
The announcement of a zero-day bug arrives less than two weeks after German penetration testing firm SySS disclosed two vulnerabilities in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could have allowed threat actors to secure root privileges on the devices.