Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.
Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Inter网 Protocol) application and using it as a springboard plant malware on targeted systems. 关键的远程代码执行(RCE)缺陷, 跟踪cve - 2022 - 29499, was first report by Crowdstrike in April as a zero-day vulnerability and is now patched.
Mitel is popularly known for providing business phone systems and unified communication as a service (UCaaS) to all forms of organizations. The Mitel focuses on VoIP technology allowing users to make phone calls using an inter网 connection instead of regular telephone lines.
根据Crowdstrike, 该漏洞影响Mitel MiVoice家电SA 100, SA 400和Virtual SA. The MiVoice provides a simple interface to bring all communications and tools together.
Researcher at Crowdstrike recently investigated a suspected ransomware attack. 研究团队迅速处理了入侵事件, but believe the involvement of the vulnerability (CVE-2022-29499) in the ransomware strike.
The Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance. Further analysis led to the discovery of a novel remote code exploit.
“该设备被脱机并成像以供进一步分析, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,帕特里克·贝内特在一篇博客文章中写道.
该漏洞涉及两个GET请求. The first one targets a “get_url” parameter of a PHP file and the second one originates from the device itself.
“This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses,研究人员解释道.
The second request executes the command injection by performing an HTTP GET request to the attacker-controlled infrastructure and runs the stored command on the attacker’s server.
根据研究人员, the adversary uses the flaw to create an SSL-enabled reverse shell via the “mkfifo” command and “openssl_client” to send outbound requests from the compromised 网work. The “mkfifo” command is used to create a special file specified by the file parameter and can be opened by multiple processes for reading or writing purposes.
Once the reverse shell was established, the attacker created a web shell named “pdf_import.php”. The original content of the web shell was not recovered but the researchers identifies a log file that includes a POST request to the same IP address that the exploit originated from. The adversary also downloaded a tunneling tool called “Chisel” onto VoIP appliances to pivot further into the 网work without getting detected.
The Crowdstrike also identifies anti-forensic techniques performed by the threat actors to conceal the activity.
“Although the threat actor deleted all files from the VoIP device’s filesystem, CrowdStrike能够从该设备中恢复法医数据. This included the initial undocumented exploit used to compromise the device, 威胁行为者随后下载到设备上的工具, and even evidence of specific anti-forensic measures taken by the threat actor,班尼特说:“.
Mitel released a security advisory on April 19, 2022, for MiVoice Connect versions 19.2 SP3及更早. 目前还没有发布官方补丁.
安全研究员凯文·博蒙特(Kevin Beaumont)共享了一个字符串“http.html_hash:-1971546278” to search for vulnerable Mitel devices on the Shodan search engine in a Twitter thread.
根据凯文, 大约有21个,全球000台公开可访问的Mitel电器, 其中大部分位于美国, 由英国继承.
Crowdstrike recommends that organizations tighten defense mechanisms by performing threat modeling and identifying malicious activity. The researcher also advised segregating the critical assets and perimeter devices to restrict the access control in case perimeter devices are compromised.
“及时打补丁对保护周边设备至关重要. 然而, 当威胁行为者利用未归档的漏洞时, 及时打补丁变得无关紧要,”班尼特解释道.
作者:Sagar Tiwari, 2022年6月28日