This week, Akamai experts discovered a unique DDoS amplification vector that can achieve a 4.3 billion to one attack repelling or amplification ratio.
The new attack vector is based on the abuse of unprotected Mitel MiCollab and MiVoice Business Express systems, which act as gateways between virtual PBXs and the Internet and have a dangerous test mode that should not be accessible from the outside. Such devices can serve as reflectors and amplifiers of DDoS attacks.
The new attacks have been dubbed TP240PhoneHome (CVE-2022-26143) and have reportedly been used to launch DDoS attacks targeting ISPs, financial institutions, logistics companies, gaming firms and others.
The researchers say that attackers abuse the mentioned vulnerability CVE-2022-26143 in the driver used by Mitel devices that are equipped with a VoIP TP-240 interface (for example, MiVoice Business Express and MiCollab).
The fact is that the mentioned driver contains a traffic generation command, which is needed for client stress testing and is usually used for debugging and performance tests. By misusing this command, attackers can generate powerful traffic from these devices. In addition, this problematic command is active by default.
Experts found about 2,600 unprotected Mitel devices on the Internet that are vulnerable to attacks and can be used to enhance DDoS, and such an attack can last about 14 hours.
The first signs of attacks using Mitel devices were noticed as early as January 8, 2022, and the first attacks using the vulnerable driver began on February 18, 2022.
The reported attacks were primarily based on packets per second and appear to be UDP reflection and amplification attacks originating from UDP 10074 and targeting UDP ports 80 and UDP 443. So far, the only major attack of this type has reached approximately 53 million packets per second and 23 Gb / s. The average packet size for this attack was approximately 60 bytes and the duration of the attack was approximately ~5 minutes. This particular attack vector differs from most UDP reflection and amplification attacks in that the vulnerability can be used to launch a sustained DDoS attack lasting up to 14 hours with just one spoofed packet, resulting in a record amplification factor of 4,294,967,296:1.
Mitel developers have already released updates for their software that disable public access to the test function. In general, the company describes the problem as an access control vulnerability that can be used to obtain confidential information, and the increase in DDoS attacks is called only a side effect.
