Ransomware groups are targeting a zero-day affecting a Linux-based Mitel VoIP appliance, according to researchers from CrowdStrike.
The zero-day – tagged as CVE-2022-29499 – was patched in April by Mitel after CrowdStrike researcher Patrick Bennett discovered the issue during a ransomware investigation.
In a blog post on Thursday, Bennett explained that after taking the Mitel VoIP appliance offline, he discovered a “novel remote code execution exploit used by the threat actor to gain initial access to the environment.”
“After tracing threat actor activity to an IP address assigned to the Mitel MiVoice Connect VoIP appliance, CrowdStrike received a disk image of the Linux system and began analysis. CrowdStrike’s analysis identified anti-forensic techniques that were performed by the threat actor on the Mitel appliance in an attempt to hide their activity,” Bennett said.
“Although the threat actor deleted all files from the VoIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor.”
In its security advisory, Mitel said the vulnerability affects the Mitel Service Appliance component of MiVoice Connect. The company rated the bug critical and said it could be exploited in MiVoice Connect Service Appliances, SA 100, SA 400 and/or Virtual SA.
A script for remediation was provided to customers, according to Mitel.
Cybersecurity expert Kevin Beaumont urged organizations to patch the vulnerability and noted that a search on Shodan showed several government institutions in the United States and United Kingdom were vulnerable to the bug.
This is filtered to just ones with SSL certificates with ".gov*" in the hostname, there's a concentration in the UK (#1) and US (#2), so I think there probably needs to be messaging for orgs to get their houses in order, especially as it is under active exploitation before patch. pic.twitter.com/m8s4RGuuOW— Kevin Beaumont (@GossiTheDog) June 24, 2022
Bennett explained in his blog that even with timely patching, threat actors exploiting undocumented vulnerabilities is a persistent problem.
Recorded Future ransomware expert Allan Liska said developing or buying exploits for commonly used external facing systems, such as Microsoft Exchange or Citrix, is expensive.
“But, there are a lot of other Internet-facing systems that are not nearly as widely deployed and that has been where ransomware groups have focused their efforts,” Liska said. “This is a great example of that.”