High-impact DDoS attacks target zero-day exploit in Mitel systems

Security researchers, network operators and security vendors discover a new reflection/amplification DDoS vulnerability used to launch multiple, high-impact attacks against Mitel systems.

DDOS attack
2AlexD / Getty Images

Security researchers, network operators and security vendors have detected a new reflection/amplification distributed denial-of-service (DDoS) vulnerability actively being exploited to launch multiple high-impact DDoS attacks. TP240PhoneHome (CVE-2022-26143) has a record-breaking potential amplification ratio of 4,294,967,296:1 and can be targeted to abuse collaboration systems produced by Mitel with the potential to cause significant collateral impact to businesses.

Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Mitel has released patched software that disables the abusable test facility whilst attacks can be mitigated using standard DDoS-defense techniques. The findings come from a collaborative research and mitigation task force effort with contributors including NETSCOUT, Akamai, Cloudflare and Mitel.

DDoS attacks target MiCollab and MiVoice systems

A spike in DDoS attacks sourced from User Datagram Protocol (UDP) port 10074 was observed in mid-February 2022. Upon further investigation, it was determined that the devices abused to launch these attacks were MiCollab and MiVoice, primarily used to provide internet-based site-to-site voice connectivity for PBX systems, according to a blog post by NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT).

“Approximately 2,600 of these systems have been incorrectly provisioned so that an unauthenticated system test facility has been inadvertently exposed to the public internet, allowing attackers to leverage these PBX VoIP gateways as DDoS reflectors/amplifiers,” ASERT said. Mitel is aware of the issues and has been actively working with customers to remediate abusable devices.

Vector differs from most UDP reflection/amplification attack methods

Observed attacks were primarily predicated on packets per second (pps), or throughput, and appeared to be UDP reflection/amplification attacks sourced from UDP/10074 that were mainly directed toward destination ports UDP/80 and UDP/443, ASERT explained. Interestingly, ASERT said that the vector differs from the majority of UDP reflection/amplification attack methodologies in that the exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration via a single spoofed attack initiation packet. “A controlled test of this DDoS attack vector yielded more than 400 Mpps of sustained DDoS attack traffic.”

ASERT also noted that this single-packet attack initiation capability has the effect of precluding network operator traceback of the spoofed attack initiator traffic, which helps to mask the attack traffic generation infrastructure and make it less likely that the origin is traced compared with other UDP reflection/amplification DDoS attack vectors.

Attacks target TP-240 driver via internet exposure

The abused service on affected Mitel systems is called tp240dvr (TP-240 driver) and its exposure to the internet allows attackers to exploit it to run a software bridge to facilitate interactions with TDM/VoIP PCI interface cards. “The service listens for commands on UDP/10074 and is not meant to be exposed to the internet, as confirmed by the manufacturer of these devices,” ASERT said. “The tp240dvr service exposes an unusual command that is designed to stress test its clients in order to facilitate debugging and performance testing. This command can be abused to cause the tp240dvr service to send this stress test to attack victims. The traffic consists of a high rate of short informative status update packets that can potentially overwhelm victims and cause the DDoS scenario.”

The command can also be abused by attackers to launch very high-throughput attacks. Researchers were able to force devices to generate large amounts of traffic in response to comparatively small request payloads.

Threats to organizations significant despite limited attack simultaneity

The threats posed to organizations with internet-exposed Mitel MiCollab and MiVoice Business Express collaboration systems are potentially significant, ASERT warned. “This may include partial or full interruption of voice communications through these systems, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of network address translations, stateful firewalls, and so forth.” This is despite the fact that the tp240dvr service can only be used to launch one attack at a time and that the devices are on relatively low-powered hardware in terms of their traffic-generation capabilities, ASERT added.

“Amplification greatly increases the potency of DDoS attacks; the greater the amplification, the easier it is to overwhelm defenses,” Netenrich principal threat hunter John Bambenek tells CSO. “If you can send more attack traffic than an organization can handle (with whatever defenses they have protecting them) then they are offline.” This is greatly heightened during times of geopolitical conflict as DDoS is often the first tool activists, governments, and bystanders looking for attack techniques, he says.

Mitigating the risks of amplified DDoS attacks

“Operators of internet-exposed TP-240-based Mitel MiCollab and MiVoice Business Express collaboration systems can prevent abuse of their systems to launch DDoS attacks by blocking incoming internet traffic destined for UDP/10074 via ACLs, firewall rules, and other standard network access control policy enforcement mechanisms,” ASERT wrote. Furthermore, amplified attack traffic can be detected, classified, traced, and safely mitigated using standard DDoS defense tools and techniques.

“Flow telemetry and packet capture via open-source and commercial analysis systems can alert network operators and end customers,” ASERT said, while network access control lists, flowspec, destination-based remotely triggered blackhole, source-based remotely triggered blackhole, and intelligent DDoS mitigation systems can also be used, it continued.

“Mitel has provided patched software versions that prevent TP-240–equipped MiCollab and MiVoice Business Express collaboration systems from being abused as DDoS reflectors/amplifiers by preventing exposure of the service to the internet, and Mitel customers should contact the vendor for remediation instructions,” ASERT said.

Related:

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.