Recent cybersecurity research has unveiled the utilization of a potent reflection/amplification attack method by malicious actors to execute prolonged distributed denial-of-service (DDoS) attacks, sustaining these assaults for as long as 14 hours and achieving an unprecedented amplification ratio of 4,294,967,296 to 1.
This attack vector, known as TP240PhoneHome (CVE-2022-26143), has been specifically weaponized to target various sectors, including broadband access Internet Service Providers (ISPs), financial institutions, logistics companies, gaming enterprises, and other organizations susceptible to such aggressive DDoS techniques.
Akamai’s Chad Seaman reported that approximately 2,600 Mitel MiCollab and MiVoice Business Express systems, functioning as gateways between PBX systems and the Internet, were misconfigured. This configuration resulted in the exposure of a test facility that was readily accessible over the public Internet, allowing attackers to exploit it for DDoS attacks. This revelation was disseminated through various advisories on cybersecurity platforms.
It was noted that the attackers managed to utilize these misconfigured systems to execute DDoS attacks exceeding 53 million packets per second (PPS). The methodology behind DDoS reflection attacks typically involves spoofing the IP address of a target, redirecting responses from servers such as DNS, NTP, or CLDAP. This redirection results in a disproportionate response size, rendering the target services inaccessible.
Indicators suggest that the attacks began on February 18, 2022, leveraging the Mitel systems as DDoS reflectors due to the inadvertent exposure of an unauthenticated test feature to the public Internet.
This particular attack vector sets itself apart from most UDP reflection methodologies, as the exposed test facility can be exploited to sustain a DDoS attack for extended periods through a single spoofed initiation packet, achieving an exceptional amplification ratio of 4,294,967,296 to 1.
The attack leverages a driver known as tp240dvr (“TP-240 driver”), which is designed to listen for commands on UDP port 10074 and is not intended for Internet exposure. Akamai clarified that it is this exposure that allows the abuse of the system.
By inspecting the tp240dvr binary, it has been determined that an attacker could theoretically make the service emit 2,147,483,647 responses from a single command, with each response generating two packets. This process could direct nearly 4.3 billion amplified packets toward the intended victim.
In light of these findings, Mitel issued software updates to disable public access to the exposed test feature, categorizing the issue as an access control vulnerability with the potential for sensitive information exposure.
The potential fallout from TP-240 reflection/amplification attacks is considerable for organizations with insecure Mitel MiCollab and MiVoice Business Express systems, which can be exploited as DDoS amplifiers. The repercussions could involve interruptions in voice communications along with service disruptions resulting from increased capacity consumption, state-table exhaustion, and other network resources.
