The Lorenz ransomware group is abusing a critical vulnerability in Mitel MiVoice VOIP appliances to breach corporate networks through their phone systems for initial access.
Discussing the attack
Researchers from Arctic Wolf Labs disclosed that the Lorenz group has adopted a new tact of abusing a flaw in Mitel MiVoice Connect devices to obtain initial access.
- Lorenz abused the CVE-2022-29499 vulnerability in the Mitel Service Appliance component of MiVoice Connect for reverse shell and used Chisel as a tunneling tool to get access to the device.
- Lorenz group used FileZilla for data exfiltration and encryption was done using BitLocker.
- Researchers also revealed overlaps with another ransomware attack abusing the same vulnerability that was abused for initial access.
All about Lorenz
Lorenz is a ransomware group that has been targeting enterprises around the world since December 2020. The group demands hundreds of thousands of dollars in ransom from every victim.
- A researcher from ID Ransomware disclosed that the used Lorenz encryptor is the same one employed by a ransomware operation tracked as ThunderCrypt.
- This group sells data stolen before encryption to another attacker to pressurize the victims into paying the ransom. Further, it sells access to a company’s internal networks to other cybercriminals.
- If victims refuse to pay the ransom even after the stolen data is published as password-protected RAR archives, Lorenz posts the password to access the leaked archives, providing public access to the stolen files.
What to do?
Mitel fixed the vulnerability in early June after releasing a remediation script for affected MiVoice Connect versions in April. Additionally, it is recommended that users scan external appliances and web applications and avoid exposing critical assets directly to the internet. Users must configure PowerShell and off-site logging, and have a backup strategy ready.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/3bac_shutterstock_788198215.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/1450_shutterstock_1905865471.jpg)
