Alarm raised over bug that opens the door to colossal DDoS attacks

News
By published

Misconfigured servers can be used as major amplifiers for DDoS attacks

DDoS Attack
(Image credit: Shutterstock) (Image credit: Shutterstock)

Cybersecurity researchers have discovered a highly potent flaw in Mitel MiCollab and MiVoice Business Express systems which could enable Distributed Denial of Service (DDoS) attacks, amplified by a factor of 4,294,967,296:1.

Security researchers from Akamai, Cloudflare, Lumen Black Lotus Labs, Mitel, Netscour, Team Cymru, Telus, and The Shadowserver Foundation found the CVE-2022-26143 flaw in some 2,600 incorrectly provisioned systems. These act as PBX-to-internet gateways, and come with a test mode that shouldn’t have access to the internet.

When it does have access to the internet, then trouble starts.

"The exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1," Shadowserver explained in a blog post.

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Rendering the system useless

"It should be noted that this single-packet attack initiation capability has the effect of precluding network operator traceback of the spoofed attack initiator traffic. This helps mask the attack traffic generation infrastructure, making it less likely that the attack origin can be traced compared with other UDP reflection/amplification DDoS attack vectors."

In other words, a threat actor can abuse a driver in the Mitel system, making it perform a stress test of status update packets. As the Mitel system can produce up to 4,294,967,294 packets across 14 hours at a maximum possible size of 1,184 bytes, that makes for a hell of a potent DDoS machine against any web hosting provider.

"This would yield a sustained flood of just under 393Mbps of attack traffic from a single reflector/amplifier, all resulting from a single spoofed attack initiator packet of only 1,119 bytes in length," the company explains. "This results in a nearly unimaginable amplification ratio of 2,200,288,816:1 -- a multiplier of 220 billion percent, triggered by a single packet." 

Read more

> DDoS attacks could soon be bigger and more dangerous than ever

> DDoS attacks soared to new highs in 2021

> DDOS attacks: how to prevent and protect your business against them

The silver lining here is the fact that a Mitel system can only work on a single command at a time, so using it to DDoS a web hosting provider would render it useless for anything else, and someone’s bound to spot it sooner, rather than later. 

The patch is already available, so all Mitel systems users are advised to apply them immediately. Those that are unable to act quickly, can also move to block any bad traffic coming on UDP port 10074, with the tools at their disposal.

The flaw has already been used in the wild, targeting financial institutions and logistics firms.

Via: ZDNet

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An image of network security icons for a network encircling a digital blue earth.
Standing strong against hyper-volumetric DDoS attacks
DDoS Attack
Watch out, your office phone could be hijacked into a Mirai botnet
DDoS Attack
World's largest DDoS attack blocked, Cloudflare claims
Web DDoS attacks see major surge as AI allows more powerful attacks
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
SDUNITED AX835-025FF mini PC

This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
See more latest
Most Popular
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser