Mitel Collaboration Systems Exploited to Launch Amplified DDoS Attacks
Attackers have been exploiting incorrectly provisioned Mitel MiCollab and MiVoice Business Express collaboration systems to launch massive amplified distributed denial-of-service (DDoS) attacks against financial institutions, logistics companies, broadband ISPs, and other organizations. The issue reportedly allows for an amplification factor as high as 4.3 billion to one.
Luckily, the number of vulnerable systems is rather limited. But the amplification factor still makes this a debilitating attack. Make sure you are not part of the problem and update your devices! Efforts are under way to notify organizations exposing vulnerable devices.
Packet amplification ratio of 4,294,967,296:1 is mind blowing. Anyone that has defended against a DDoS attack is very familiar with what amplification is and this ratio is unheard of.
This technique, dubbed TP240PhoneHome (CVE-2022-26143), leverages UDP port 10074, a system test service, which should not be Internet accessible. If you have the Mitel products, verify that you’re restricting access to that service. The most recent software update from Mitel makes sure this port is locked down. Even so, verify that you’re protecting and monitoring use of that service. All this attack takes is a single malicious command to release a flood of 4.3 billion packets over about 14 hours, or about 2.5TB of traffic at about 393mb/sec from a single amplifier.