Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Mitel Devices Abused for DDoS Vector With Record-Breaking Amplification Ratio

Mitel enterprise collaboration products have been abused for distributed denial-of-service (DDoS) attacks that employ a new vector with a massive potential amplification ratio.

Mitel enterprise collaboration products have been abused for distributed denial-of-service (DDoS) attacks that employ a new vector with a massive potential amplification ratio.

Researchers from Akamai, Cloudflare, Lumen, NETSCOUT, Team Cymru, TELUS, and The Shadowserver Foundation have analyzed the attacks and they have released a blog post detailing their findings. Mitel has released an advisory and security bulletins describing impact on its products.

According to the organizations that investigated these DDoS attacks, malicious actors are abusing incorrectly provisioned Mitel MiCollab and MiVoice Business Express collaboration systems. The targeted devices incorporate TP-240 VoIP-processing interface cards and they are primarily used for internet-based site-to-site voice connectivity for PBX systems.

While tens of thousands of these Mitel devices are deployed in government and private sector organizations worldwide, researchers have identified only roughly 2,600 systems that have been incorrectly provisioned and exposed to the internet.

The attack method has been named TP240PhoneHome and the underlying vulnerability has been assigned the CVE identifier CVE-2022-26143.

“The abused service on affected Mitel systems is called tp240dvr (TP-240 driver) and appears to run as a software bridge to facilitate interactions with TDM/VoIP PCI interface cards. The service listens for commands on UDP/10074 and is not meant to be exposed to the internet, as confirmed by the manufacturer of these devices. It is this exposure to the internet that ultimately allows it to be abused,” researchers explained.

“The tp240dvr service exposes an unusual command that is designed to stress test its clients in order to facilitate debugging and performance testing. This command can be abused to cause the tp240dvr service to send this stress test to attack victims. The traffic consists of a high rate of short informative status update packets that can potentially overwhelm victims and cause the DDoS scenario,” they added.

Spikes in network traffic associated with the abused service were seen on January 8 and February 7, but the first actual attack was observed on February 18.

Advertisement. Scroll to continue reading.

“This particular attack vector differs from most UDP reflection/amplification attack methodologies in that the exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1,” researchers said. “A controlled test of this DDoS attack vector yielded more than 400 Mpps of sustained DDoS attack traffic.”

The attacks leveraging this technique can be mitigated with standard DDoS protections and Mitel has released patches that should prevent abuse.

In its advisories, which have been assigned a risk rating of “critical,” Mitel described the issue as a security access control vulnerability that can be exploited for more than just sustained DoS attacks. The vendor warned that a remote, unauthenticated attacker could also exploit the vulnerability to gain access to sensitive information and possibly execute arbitrary code.

DDoS attacks continue to increase in size. Microsoft reported recently that it had seen record-breaking attacks that exceeded 3 Tbps.

Related: Cloudflare Mitigated Record-Setting 17.2 Million RPS DDoS Attack

Related: Several DDoS Attack Records Broken in 2020

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.