Attackers are abusing software designed to stress-test and debug Mitel enterprise communications systems to launch a unique new form of UDP reflection/amplification DDoS attacks — with the exposed system test facility able to launch sustained DDoS attacks of up to 14 hours through a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4.3 billion to 1.
A team of eight security organisations — including three rival DDoS mitigation protection companies — worked together to identify the source of the attacks, which have hit financial services organisations and ISPs. As both Cloudflare and Akamai noted in their advisories: “Collaboration across the operational, research, and vendor communities is central to the continued viability of the Internet. The quick response to and ongoing remediation of this high-impact DDoS attack vector has only been possible as a result of such collaboration.”
Some 2,600 of the Mitel systems were provisioned so the unauthenticated system test facility was left exposed to the public internet — and rapidly adopted to launch the attacks on victims, the companies said on March 8.
They also criticised both Mitel and end-users for inadvertently enabling this attack vector in the first place: “This scenario is yet another example of real-world deployments not adhering to vendor guidance. Vendors can prevent this situation by adopting ‘safe by default’ postures on devices before shipping.”
The researchers note that while this new Mitel DDoS attack vector offers an unprecented level of amplification, and sustained attacks of up to 14 hours, a node can only attack one target at a time — while also becoming unavailable for its actual users. Mercifully. the affected Mitel hardware is relatively low-powered in terms of traffic-generation.
“On an Internet where 100/Gbps links, dozens of CPU cores, and multi-threading capabilities have become commonplace, we can all be thankful this abusable service is not found on top-of-the-line hardware platforms capable of individually generating millions of packets per second, and running with thousands of parallelized threads,” Cloudflare’s Alex Forster noted.
So far the largest attack using this vector saw 53 Mpps and 23Gbps of traffic directed at a target for around five minutes — far lower levels than the theoretical maximum this vector enables. Researchers first spotted traffic from the service on 8 January and 7 February this year, with the first actual attack observed on 18 February.
The vulnerability, CVE-2022-26143: TP240PhoneHome, is within the TP-420 driver service of Mitel MiCollab and MiVoice Business Express systems, which listens on UDP port 10074 and can generate up to 393Mbps of sustained traffic, designed in normal use to stress-test a user’s system. This service should never be exposed to the internet — but around 2,600 Mitel systems have been misconfigured to allow external access to the port.
What makes this new Mitel DDoS attack vector notable is the amplification factor: in theory a single packet could trigger 14 hours of attack traffic, generating 4,294,967,294 packets and creating up to 2.5TB of traffic in total, according to the security advisory. A Cloudflare blog also noted the vulnerability could be used for other attacks: “This UDP call control port offers many other commands. With some work, it’s likely that you could use this UDP port to commit toll fraud, or to simply render the phone system inoperable. We haven’t assessed these other possibilities, because we do not have access to a device that we can safely test with.”
The main advisory notes it is almost impossible to trace the source of an attack using this method, thanks to the single-packet initiation. Targets to date have included ISPs, financial institutions, logistics firms, gaming companies and others. Mitel customers using the affected Mitel MiCollab and MiVoice Business Express systems can contact the company for a patch and remediation advice.
Mitel’s security advisory, which rates the vulnerability as critical, said: “A security access control vulnerability in Mitel MiCollab may allow a remote unauthenticated attacker to gain unauthorized access to sensitive information and services, potential code execution in the context of the conference component and impact the performance of the affected system. In the case of a sustained denial of service attack through a series of malformed messages, improper message handling may cause the MiCollab system to generate significant outbound traffic that does not include sensitive information.”
TP240PhoneHome is by far the most-amplified UDP attack vector ever recorded. The second-placed vector is Memcached, with an amplification factor of 50,000:1. The popular DNS vector has an amplification factor of up to 179:1. The researchers involved in identifying this DDoS attack vector include Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, Mitel, NETSCOUT ASERT, Team Cymru, TELUS, and The Shadowserver Foundation.