Hackers Abuse Mitel Devices to Amplify DDoS Attacks by 4 Billion Times

Threat actors have been observed abusing a high-impact
reflection/amplification method to stage sustained distributed
denial-of-service (DDoS) attacks for up to 14 hours with a
record-breaking amplification ratio of 4,294,967,296 to 1.

The attack vector – dubbed TP240PhoneHome
(CVE-2022-26143) – has been weaponized to launch significant
DDoS attacks targeting broadband access ISPs, financial
institutions, logistics companies, gaming firms, and other
organizations.

“Approximately 2,600 Mitel MiCollab and MiVoice Business Express
collaboration systems acting as PBX-to-Internet gateways were
incorrectly deployed with an abusable system test facility exposed
to the public Internet,” Akamai researcher Chad Seaman said^[1]
in a joint^[2]
advisory^[3].

“Attackers were actively leveraging these systems to launch
reflection/amplification DDoS attacks of more than 53 million
packets per second (PPS).”

DDoS reflection attacks typically involve^[4]
spoofing the IP address of a victim to redirect responses from a
target such as DNS, NTP, or CLDAP server in such a manner that the
replies sent to the spoofed sender are much bigger than the
requests, leading to complete inaccessibility of the service.

First sign of the attacks is said to have been detected on
February 18, 2022 using Mitel’s MiCollab and MiVoice Business
Express collaboration systems as DDoS reflectors, courtesy the
inadvertent exposure of an unauthenticated test facility to the
public internet.

“This particular attack vector differs from most UDP
reflection/amplification attack methodologies in that the exposed
system test facility can be abused to launch a sustained DDoS
attack of up to 14 hours in duration by means of a single spoofed
attack initiation packet, resulting in a record-setting packet
amplification ratio of 4,294,967,296:1.”

Specifically, the attacks weaponize a driver called tp240dvr
(“TP-240 driver”) that’s designed to listen for commands on UDP
port 10074 and “isn’t meant to be exposed to the Internet,” Akamai
explained, adding “It’s this exposure to the internet that
ultimately allows it to be abused.”

“Examination of the tp240dvr binary reveals that, due to its
design, an attacker can theoretically cause the service to emit
2,147,483,647 responses to a single malicious command. Each
response generates two packets on the wire, leading to
approximately 4,294,967,294 amplified attack packets being directed
toward the attack victim.”

In response to the discovery, Mitel on Tuesday released
software updates^[5]
that disables public access to the test feature, while describing
the issue as an access control vulnerability that could be
exploited to obtain sensitive information.

“The collateral impact of TP-240 reflection/amplification
attacks is potentially significant for organizations with
internet-exposed Mitel MiCollab and MiVoice Business Express
collaboration systems that are abused as DDoS
reflectors/amplifiers,” the company said.

“This may include partial or full interruption of voice
communications through these systems, as well as additional service
disruption due to transit capacity consumption, state-table
exhaustion of network address translations, stateful firewalls, and
so forth.”