This week, Akamai experts discovered a unique DDoS amplification vector that can achieve a 4.3 billion to one attack repelling or amplification ratio.
The new attack vector is based on the abuse of unprotected Mitel MiCollab and MiVoice Business Express systems, which act as gateways between virtual PBXs and the Internet and have a dangerous test mode that should not be accessible from the outside. Such devices can serve as reflectors and amplifiers of DDoS attacks.
The new attacks have been dubbed TP240PhoneHome (CVE-2022-26143) and have reportedly been used to launch DDoS attacks targeting ISPs, financial institutions, logistics companies, gaming firms and others.
The researchers say that attackers abuse the mentioned vulnerability CVE-2022-26143 in the driver used by Mitel devices that are equipped with a VoIP TP-240 interface (for example, MiVoice Business Express and MiCollab).
The fact is that the mentioned driver contains a traffic generation command, which is needed for client stress testing and is usually used for debugging and performance tests. By misusing this command, attackers can generate powerful traffic from these devices. In addition, this problematic command is active by default.
Experts found about 2,600 unprotected Mitel devices on the Internet that are vulnerable to attacks and can be used to enhance DDoS, and such an attack can last about 14 hours.
The first signs of attacks using Mitel devices were noticed as early as January 8, 2022, and the first attacks using the vulnerable driver began on February 18, 2022.
Mitel developers have already released updates for their software that disable public access to the test function. In general, the company describes the problem as an access control vulnerability that can be used to obtain confidential information, and the increase in DDoS attacks is called only a side effect.
Let me remind you that we also talked about Akamai Says Powerful DDoS Attacks Are Becoming the Norm, and also that Lucifer malware uses many exploits, is engaged in mining and DDoS attacks.