CVE-2022-26143: TP240PhoneHome

Industry: N/A | Level: Strategic | Source: Akamai

Analysis of a sharp increase in DDoS attacks, utilizing UDP port 10074, has been observed since mid-February 2022, by a group of researchers in Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, NETSCOUT Arbor ASERT, TELUS, Team Cymru, and The Shadowserver Foundation. The source of the activity has been determined to be from, "MiCollab and MiVoice Business Express collaboration systems produced by Mitel'' abusing a service called tp240dvr. An estimated 2600 systems were not properly provisioned as the service is designed to "stress-test its clients in order to facilitate debugging and performance testing" and "is not meant to be exposed to the Internet." Attackers have utilized the exposed PBX VoIP gateway to execute high volume reflection/amplification DDoS attacks. Internet service providers observed to have been impacted include industries in financial, gaming and logistics. From the researcher's review the largest observed attack was "approximately 53 million packets-per-second (mpps) and 23 gigabits-per-second (gb/sec). The average packet size for that attack was approximately 60 bytes, with an attack duration of approximately 5 minutes." Currently Mitel is working towards a patch to disable the exposed system test facility.