Mitel Devices Abused for DDoS Vector With Record-Breaking Amplification Ratio

Mitel enterprise collaboration products have been abused for distributed denial-of-service (DDoS) attacks that employ a new vector with a massive potential amplification ratio.

Researchers from Akamai, Cloudflare, Lumen, NETSCOUT, Team Cymru, TELUS, and The Shadowserver Foundation have analyzed the attacks and they have released a blog post detailing their findings. Mitel has released an advisory and security bulletins describing impact on its products.

According to the organizations that investigated these DDoS attacks, malicious actors are abusing incorrectly provisioned Mitel MiCollab and MiVoice Business Express collaboration systems. The targeted devices incorporate TP-240 VoIP-processing interface cards and they are primarily used for internet-based site-to-site voice connectivity for PBX systems.

While tens of thousands of these Mitel devices are deployed in government and private sector organizations worldwide, researchers have identified only roughly 2,600 systems that have been incorrectly provisioned and exposed to the internet.

The attack method has been named TP240PhoneHome and the underlying vulnerability has been assigned the CVE identifier CVE-2022-26143.

“The abused service on affected Mitel systems is called tp240dvr (TP-240 driver) and appears to run as a software bridge to facilitate interactions with TDM/VoIP PCI interface cards. The service listens for commands on UDP/10074 and is not meant to be exposed to the internet, as confirmed by the manufacturer of these devices. It is this exposure to the internet that ultimately allows it to be abused,” researchers explained.

“The tp240dvr service exposes an unusual command that is designed to stress test its clients in order to facilitate debugging and performance testing. This command can be abused to cause the tp240dvr service to send this stress test to attack victims. The traffic consists of a high rate of short informative status update packets that can potentially overwhelm victims and cause the DDoS scenario,” they added.

Spikes in network traffic associated with the abused service were seen on January 8 and February 7, but the first actual attack was observed on February 18.

“This particular attack vector differs from most UDP reflection/amplification attack methodologies in that the exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1,” researchers said. “A controlled test of this DDoS attack vector yielded more than 400 Mpps of sustained DDoS attack traffic.”

The attacks leveraging this technique can be mitigated with standard DDoS protections and Mitel has released patches that should prevent abuse.

In its advisories, which have been assigned a risk rating of “critical,” Mitel described the issue as a security access control vulnerability that can be exploited for more than just sustained DoS attacks. The vendor warned that a remote, unauthenticated attacker could also exploit the vulnerability to gain access to sensitive information and possibly execute arbitrary code.

DDoS attacks continue to increase in size. Microsoft reported recently that it had seen record-breaking attacks that exceeded 3 Tbps.

Related: Cloudflare Mitigated Record-Setting 17.2 Million RPS DDoS Attack

Related: Several DDoS Attack Records Broken in 2020

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *