A suspected ransomware attack against an anonymous target exploited a Mitel VoIP device as an entry point to perform remote code execution and provide initial access to the environment. The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device located in the network perimeter, while also identifying a previously unknown exploit, as well as several actor-adopted forensics measures.

To remove traces of their actions, on the device, the exploit is tracked as CVE-2022-29499 and was fixed by Mitel in April 2022. It is rated 9.8 out of 10 for severity in the CVSS vulnerability scoring system, making it a critical shortcoming. "A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400 and Virtual SA) that could allow a malicious actor to execute remote code (CVE-2022-29499). In the Service Appliance context," the company stated in an advisory. This exploit required two HTTP GET requests used to retrieve a specific resource from a server, triggering remote code execution by fetching rogue commands from the attacker-controlled infrastructure.