Our Services team recently conducted an investigation that identified a compromised Mitel VOIP appliance as the threat actor’s entry point.
And, whew! Did we find some interesting insights!
Essentially, the threat actor had developed a novel remote code execution exploit on the Mitel appliance to gain initial access to the environment. We identified and reported the vulnerability to Mitel, and CVE-2022-29499 was created. The threat actor performed anti-forensic techniques on the VOIP appliance in an attempt to hide their activity.
If you like digging into the details, feel free to check out our analysis, here: https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/
As far as conclusive thoughts go, I think our team says it best below...
"Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant. That’s why it’s crucial to have multiple layers of defense..."
What are your thoughts on the reveals of this exploit? Any additional recommendations you think would be necessary to tell other SpiceHeads?