Ransomware Hacker Spotted Using Zero-Day Exploit on Business Phone VoIP Device

To spread ransomware to a company, a hacker resorted to using a previously unknown vulnerability in a business phone VoIP device.

The finding comes from the security firm Crowdstrike. On Thursday, the company wrote a blog post(Opens in a new window) about a suspected ransomware intrusion against an unnamed customer.

Ransomware attacks often occur through phishing emails or poorly-secured computers. But in this case, the hacker had enough know-how to uncover a new vulnerability in a Linux-based VoIP appliance from the business phone provider Mitel. 

The resulting zero-day exploit allowed the hacker to break into the company’s network through a VoIP device, which had limited security safeguards onboard. The attack was designed to essentially hijack the Linux-based VoIP appliance so that the hacker could infiltrate other parts of the network. 

Fortunately, Crowdstrike was able to detect the hacker’s presence due to its security software spotting the unusual activity over the victim’s network. The company also reported the previously unknown vulnerability to Mitel, which supplied(Opens in a new window) a patch to affected customers back in April. 

Still, the incident underscores the growing concern that ransomware groups will use zero-day exploits to attack more victims. Earlier this month, NSA Director of Cybersecurity Rob Joyce said some ransomware gangs are now rich enough to buy zero-day exploits from underground dealers or fund research into uncovering new software vulnerabilities. 

Crowdstrike added: “When threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant. That’s why it’s crucial to have multiple layers of defense.” To stay protected, companies should ensure perimeter devices, such as business VoIP appliances, remain isolated from their network’s most critical assets, the security firm said.

Recommended by Our Editors

Companies that use Mitel’s MiVoice Connect product should also implement the patch as soon as possible to prevent further exploitation.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

fbq('init', '454758778052139'); fbq('track', "PageView");


Leave a Reply

Your email address will not be published.

Back to top