Mitel SIP Phones may be at risk, according to Cybersecurity company Akamai, as its threat intelligence team discovered a malware that is “actively attempting to exploit Mitel SIP phones.”
“This malware exhibits a behavior we have never before seen with a Mirai variant,”
The blog said.
Akamai released their findings on 28 January on a blog, outlining the details of evidence of active exploits and how the significant security threat leaves Mitel SIP phones vulnerable to attack.
The Threat
The Akamai Security Intelligence and Response Team (SIRT) has identified a new variant of the Mirai-based malware, dubbed Aquabotv3, which is actively attempting to exploit Mitel SIP phones.
This malware exploits CVE-2024-41710, a command injection vulnerability affecting various Mitel models.
The vulnerability was discovered by a researcher at penetration testing company Packetlabs in August 2024.
A proof of concept (PoC)—a practical demonstration of how the vulnerability in Mitel SIP phones could be exploited, was found to affect Mitel 6800, 6900, and 6900w series SIP phones, including the 6970 Conference Unit.
The flaw relies on an input sanitisation issue—how the device handles and processes user-supplied input—and its exploitation can lead to root access to the device.
Root access to the device means an attacker gains complete control over the system, allowing it to read messages it receives, access contact information, change things like passwords, or even use it to launch a wider attack on the company’s SIP phone systems.
Following the discovery, Mitel released an update to their software.
Active Exploitation
Since the exploit was found, Akamai SIRT has detected exploit attempts targeting this vulnerability.
Having a global network of honeypots—decoy systems or servers set up to attract attackers and monitor malicious activity—the SIRT saw attempts made in January 2025.
The payload used in these attempts was almost identical to the PoC found in August 2024 but was instead, this time, being used to spread malware.
The Threat: Aquabotv3
Based on Akamai’s analysis of the malware samples, they determined that this is a version of the Aquabot Mirai variant.
Aquabot is a botnet—a network of compromised internet-connected devices that have been infected with malware— built on the Mirai malware framework and is designed primarily for launching distributed denial-of-service (DDoS) attacks.
DDoS attacks are a way attackers can keep a company’s systems offline by flooding it with traffic.
Although unlike ransomware, whose explicit aim is to exploit ransom, a DDoS can have the same effect if systems are down long enough that victims pay to relent the attacks.
While this variant shares similarities with a previously found Aquabotv2, it has some notable differences that led researchers to dub it Aquabotv3.
One of Aquabotv3’s most significant features is its ability to catch and report kill signals—specific commands or signals sent to a running malware process to terminate it—back to the attackers controlling it.
This behaviour, previously unseen in Mirai variants, is thought to be a technique used to keep one of the attacking bots undetected and avoid thwarting.
The malware also employs obfuscation techniques, such as renaming itself to legitimate names to avoid detection.
Mitigation and Prevention
Although a threat to Mitel SIP phones, Aquabotv3 doesn’t limit itself to just them (the same malware was observed spreading through other commonly exploited vulnerabilities).
Still, the fact that this technique and vector of attack is being sold as a service on Telegram under various names, including Cursinq Firewall, The Eye Services, and The Eye Botnet, offering Layer 4 and Layer 7 DDoS, shows that it is one to be taken seriously for Mitel users.
Although not offering a panacea, Akamai advises organisations should take action by doing some basic cyber hygiene on devices.
This includes discovering and changing default credentials, as many of these botnets rely on common password libraries for authentication.
Equally, they recommend finding connected IoT devices and making sure they are secure so attackers can’t use them to access and embed themselves in the broader network.
Mitel has recommended that customers with affected product versions update their devices to the latest release to protect the devices themselves.
Akamai SIRT states they will continue to monitor and report on these threats.
from UC Today https://ift.tt/ZDS4qPz
0 Comments