Security News > 2022 > June > Mitel VoIP Bug Exploited in Ransomware Attacks
Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP application and using it as a springboard plant malware on targeted systems.
The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.
According to Crowdstrike, the vulnerability affects the Mitel MiVoice appliances SA 100, SA 400 and Virtual SA. The MiVoice provides a simple interface to bring all communications and tools together.
The Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance.
"Although the threat actor deleted all files from the VoIP device's filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor," said Bennett.
The security researcher Kevin Beaumont shared a string "Http.html hash:-1971546278" to search for vulnerable Mitel devices on the Shodan search engine in a Twitter thread. According to Kevin, there are approximately 21,000 publicly accessible Mitel appliances worldwide, the majority of which are located in the United States, succeeded by the United Kingdom.
News URL
https://threatpost.com/mitel-voip-bug-exploited/180079/
Related news
- Massive PSAUX ransomware attack targets 22,000 CyberPanel instances (source)
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- City of Columbus: Data of 500,000 stolen in July ransomware attack (source)
- Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Halliburton reports $35 million loss after ransomware attack (source)
- New Ymir ransomware partners with RustyStealer in attacks (source)
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks (source)
- New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems (source)