Pointers at Glance
- The ransomware attackers exploited a VoIP bug by a novel remote code execution that can obtain access to the target environment.
- The execution involved two steps: The initial request zeroes in on a PHP file parameter of “get URL” and the other one that forms from the compromised device.
The ransomware groups attacked and exploited a VoIP bug. The full form of VoIP is Voice over Internet Protocol. The bug in question is a Mitel VoIP bug especially.
Mitel is famous for providing business phone systems and unified communication as a service (UCaaS) to all forms of organizations. Mitel concentrates on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.
The vulnerability affects the Mitel MiVoice appliances SA 100, SA 400, and Virtual SA, according to Crowdstrike. The MiVoice is a simple interface to bring all communications and tools together.
The ransomware attackers are taking advantage of new remote code execution exploits to obtain access to the target environment. The unpatched Mitel VoIP versions are also being used to place malware.
How Did Hackers Obtain Access To Targets?
The hacker group behind this attack employed a creative strategy, using a novel remote code execution exploit. The hackers used a novel remote code execution exploit with two GET requests. The initial request zeroes in on a PHP file parameter of “get URL” and the other one that forms from the compromised device.
The VoIP bug highlights the vulnerabilities inherent to using VoIP technology. Mitel’s VOIP empowers users to make web calls rather than phone calls.
Crowdstrike recommends that organizations secure defense mechanisms by performing threat modeling and identifying malicious activity. The researchers also suggested segregating the critical assets and perimeter devices to restrict the access control in case perimeter devices are compromised.