Hackers Abuse Mitel Devices to Amplify DDoS Attacks by 4 Billion Times
Reading Time: 2 minutes

Security researchers have discovered hackers abuse Mitel devices to amplify DDoS attacks for up to 14 hours with a record-breaking amplification ratio of 4,294,967,296 to 1.

Threat actors have been able to weaponize the attack vector called TP240PhoneHome (CVE-2022-26143) to launch significant DDoS attacks targeting broadband access ISPs, financial institutions, logistics companies, gaming firms, and other organizations.

Akamai researcher Chad Seaman in a joint advisory mentioned, “Approximately 2,600 Mitel MiCollab and MiVoice Business Express collaboration systems acting as PBX-to-Internet gateways were incorrectly deployed with an abusable system test facility exposed to the public Internet.”

He further added, “Attackers were actively leveraging these systems to launch reflection/amplification DDoS attacks of more than 53 million packets per second (PPS).”

In the case of DDoS reflection attacks, the IP address of a victim is spoofed to redirect responses from a target such as DNS, NTP, or CLDAP server, where the replies are sent to the spoofed sender are much bigger than the requests. This leads to the complete inaccessibility of the service.

The attacks using Mitel’s MiCollab and MiVoice Business Express collaboration systems as DDoS reflectors were first detected on February 18, 2022. Due to the inadvertent exposure of an unauthenticated test facility to the public internet.Hackers Abuse Mitel Devices to Amplify DDoS AttacksAccording to Cloudflare, “This particular attack vector differs from most UDP reflection/amplification attack methodologies in that the exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1.”

Akamai explained, “Examination of the tp240dvr binary reveals that, due to its design, an attacker can theoretically cause the service to emit 2,147,483,647 responses to a single malicious command. Each response generates two packets on the wire, leading to approximately 4,294,967,294 amplified attack packets being directed toward the attack victim.”

Mitel on Tuesday released software updates after the discovery, it disables public access to the test feature, while describing the issue as an access control vulnerability that could be exploited to obtain sensitive information.

Mitel further said, “The collateral impact of TP-240 reflection/amplification attacks is potentially significant for organizations with internet-exposed Mitel MiCollab and MiVoice Business Express collaboration systems that are abused as DDoS reflectors/amplifiers. This may include partial or full interruption of voice communications through these systems, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of network address translations, stateful firewalls, and so forth.”

Related Articles:
Chinese Hacking Group APT41 behind at least 6 US State Government Hacking
False Allegations of Police Spyware by Media – Roni Alsheich
Nvidia Confirms Lapsus Hacking Group Breaching its Systems, Hackers make additional Demands