Thought leadership. threat analysis, news and alerts.
Decade-Old Vulnerability Found in Avaya VoIP Phones
Researchers at McAfee Advanced Threat Research have discovered a decade-old security vulnerability lurking in the Voice over Internet Protocol (VoIP) phones of Avaya, the world’s second largest VOIP phone provider.
The decade-old vulnerability present in Avaya VOIP phones, specifically 9600 Series, J100 Series and B189 Series using the H.323 firmware, according to researchers at McAfee Advanced Threat Researchallows remote code execution (RCE) – enabling an attacker to access someone else's device and make changes to it, regardless of where this device is geographically located.
The RCE vulnerability in a piece of open-source software that Avaya used, the researchers said, was likely copied and modified 10 years ago and the company failed to apply subsequent security patches. The researchers added that a malicious actor exploiting the said vulnerability could take over the normal operation of the phone, copy audio from speakerphone and “bug” the phone.
The piece of open-source software that Avaya copied bore the 2004-2007 copyright, which according to the researchers is a “big red flag” as this piece of software has an exploit that has been publicly available since 2009. The 2009 exploit demonstrated that devices using DHCP client version 4.1 and below allows remote DHCP servers to execute arbitrary code. A DHCP client, also known as dhclient, is a device that needs an IP address; while DHCP server hands out an IP address to the dhclient.
Researchers at McAfee Advanced Threat Research found that Avaya VOIP phone’s version of dhclient is vulnerable to the exploit reported in 2009. The researchers said that malicious actors could build a “weaponized version” of the exploit and threaten private networks.
The researchers reported their discovery to Avaya. In June this year, Avayaissued a patch for the affected VOIP phones.
VOIP Phones as Path to Intrusion
Early this month, researchers at Microsoft Threat Intelligence Center reported that VoIP phone is one of the devices being used by a known cyber adversary to gain initial access to corporate networks. Aside from VoIP phone, the researchers said, popular office IoT devices printer and video decoder, are also being used by this known cyber adversary in gaining an initial foothold into corporate networks.
Researchers at Microsoft Threat Intelligence Center, however, didn’t specify the brands of VOIP phone, office printer and video decoder. These office devices, according to the researchers, were compromised either as these devices were deployed without changing the default manufacturer’s login details or the latest security update hadn’t been applied.
According to Microsoft Threat Intelligence Center researchers, the known cyber adversary used these 3 popular office IoT devices as points of ingress in gaining initial foothold to a corporate network. Once inside a corporate network via these compromised IoT devices, the attacker was seen conducting a simple network scan to look for other vulnerable devices.
As the attacker moved from one vulnerable device to another, a simple shell script was dropped to establish persistence on the network. This simple shell script allowed the attacker to search for higher-privileged accounts that would grant access to higher-value data, the researchers at Microsoft Threat Intelligence Center found.
Aside from using popular office IoT devices as points of ingress in accessing high-value data, these compromised devices are also used to build a botnet – referring to a group of devices infected with a malicious software (malware) and controlled by an attacker or attackers for malicious activities, including distributed denial-of-service (DDoS) attacks. In a DDoS attack, a botnet or group of infected devices is controlled to direct their traffic to a target, overwhelming this target with too much traffic that the target can’t handle, ultimately bringing the target offline and rendering the target inaccessible to its legitimate customers.
VPNFilter is an example of a botnet. At its peak, VPNFilter infected at least 500,000 networking devices in at least 54 countries. The following are devices affected by VPNFilter: Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.
According to researchers at Cisco, VPNFilter has a self-destruct capability that can be triggered en masse via the botnet structure and has the potential of cutting off internet access for hundreds of thousands of users worldwide. The researchers are unsure why so many devices were infected with VPNFilter. Most of the infected devices, however, have known public exploits or default manufacturer’s login details hadn’t been changed.
In May 2018, the potential negative effect of VPNFilter was mitigated when the U.S. Federal Bureau of Investigation (FBI)seized a domain used as command and control (C2) by the threat group in their botnet campaign. In a botnet operation, C2 (could be a website or a public cloud account) is used to communicate or control the infected devices.
The devastating effect of a botnet was shown to the world when the Mirai botnet attacked in 2016 Dyn, a major dynamic DNS provider, resulting in the widespread internet outages across the U.S. and Europe. The earlier versions of the Mirai, including the one that attacked Dyn, infected hundreds of thousands of wireless cameras and routers and turned them as botnets. Since the publication of the source code of the Mirai in 2016, a number of Mirai versions has been observed in the wild.
Researchers at Palo Alto Networks discovered a different version of the Mirai which targeted WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs – IoT devices that are often used by businesses. Many of the Mirai variants infect IoT devices by exploiting the practice of users of not changing the default manufacturer’s login details.
Today’s IoT devices outnumber the combined number of personal computers and mobile phones. Hundreds of thousands, if not, millions of these IoT devices are, however, left without basic management.
Changing the default manufacturer’s login details and applying the latest security update are two cyber security best practices in preventing malicious actors from accessing your organization’s network. These practices also stop your organization’s IoT devices from being used as part a botnet for malicious activities such as DDoS attacks.
Steve E. Driz, I.S.P., ITCP