/plushcap/analysis/cloudflare/cve-2022-26143

CVE-2022-26143: TP240PhoneHome reflection/amplification DDoS attack vector

What's this blog post about?

Security researchers have observed a spike in DDoS attacks using UDP port 10074, targeting various sectors including broadband access ISPs and financial institutions. The devices abused for these attacks are MiCollab and MiVoice Business Express collaboration systems produced by Mitel, which incorporate TP-240 VoIP-processing interface cards and supporting software. Approximately 2600 of these systems have been incorrectly provisioned so that an unauthenticated system test facility has been inadvertently exposed to the public Internet, allowing attackers to leverage these PBX VoIP gateways as DDoS reflectors/amplifiers. Mitel is aware of this issue and has been actively working with customers to remediate abusable devices with patched software that disables public access to the system test facility. The researchers recommend using standard DDoS defense tools and techniques, such as flow telemetry, packet capture, network access control lists (ACLs), destination-based remotely triggered blackhole (D/RTBH), source-based remotely triggered blackhole (S/RTBH), and intelligent DDoS mitigation systems to detect, classify, trace back, and safely mitigate these attacks.

Company
Cloudflare

Date published
March 8, 2022

Author(s)
Alex Forster

Word count
2166

Language
English

Hacker News points
4


By Matt Makai. 2021-2024.