Hackers Abuse Mitel Devices to Amplify DDoS Attacks by 4 Billion Times

Hackers Amplify DDoS Attacks

Hackers Amplify DDoS Attacks

Threat actors have been observed abusing a high-impact reflection/amplification method to stage sustained distributed denial-of-service (DDoS) attacks for up to 14 hours with a record-breaking amplification ratio of 4,294,967,296 to 1.

The attack vector – dubbed TP240PhoneHome (CVE-2022-26143) – has been weaponized to launch significant DDoS attacks targeting broadband access ISPs, financial institutions, logistics companies, gaming firms, and other organizations.

“Approximately 2,600 Mitel MiCollab and MiVoice Business Express collaboration systems acting as PBX-to-Internet gateways were incorrectly deployed with an abusable system test facility exposed to the public Internet,” Akamai researcher Chad Seaman said in a joint advisory.

“Attackers were actively leveraging these systems to launch reflection/amplification DDoS attacks of more than 53 million packets per second (PPS).”

Google Buys Cybersecurity Firm Mandiant for $5.4 Billion

DDoS reflection attacks typically involve spoofing the IP address of a victim to redirect responses from a target such as DNS, NTP, or CLDAP server in such a manner that the replies sent to the spoofed sender are much bigger than the requests, leading to complete inaccessibility of the service.

The first sign of the attacks is said to have been detected on February 18, 2022, using Mitel’s MiCollab and MiVoice Business Express collaboration systems as DDoS reflectors, courtesy of the inadvertent exposure of an unauthenticated test facility to the public internet.

“This particular attack vector differs from most UDP reflection/amplification attack methodologies in that the exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1.”

Specifically, the attacks weaponize a driver called tp240dvr (“TP-240 driver”) that’s designed to listen for commands on UDP port 10074 and “isn’t meant to be exposed to the Internet,” Akamai explained, adding “It’s this exposure to the internet that ultimately allows it to be abused.”

In response to the discovery, Mitel on Tuesday released software updates that disabled public access to the test feature, while describing the issue as an access control vulnerability that could be exploited to obtain sensitive information.

“The collateral impact of TP-240 reflection/amplification attacks is potentially significant for organizations with internet-exposed Mitel MiCollab and MiVoice Business Express collaboration systems that are abused as DDoS reflectors/amplifiers,” the company said.


Hackers Amplify DDoS Attacks

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts