Lorenz Ransomware Group Breach Enterprise Networks Using Their Phone Systems

Using Mitel’s MiVoice VOIP appliances as a means to access the corporate network of enterprises, the Lorenz ransomware gang is now using a critical vulnerability in the appliances to compromise the security of enterprises.

Security researchers from Arctic Wolf Labs have discovered this new tactic that is being used by hackers. While the researchers discovered that the CVE-2022-29499 vulnerability was exploited a lot in ransomware attacks that exploited the bug as an initial access method.

There was no particular ransomware gang that was linked to these incidents. The Lorenz gang was able to be attributed with high confidence by Arctic Wolf Labs to similar malicious activity with a high degree of certainty and precision.

A Mitel appliance on the network perimeter played a significant role in the initial malicious activity. A reverse shell was obtained by Lorenz by exploiting CVE-2022-29499 with the aim of pivoting into the environment using the Chisel.

“Once a reverse shell was established, the threat actors made use of the Mitel device’s command line interface (stcli) to create a hidden directory and proceeded to download a compiled binary of the open source TCP tunneling tool Chisel directly from Github via wget.”

The gang’s arsenal has been strengthened by the addition of the Mitel VoIP products, which are used in many critical sectors of the world. 

This represents an important addition to the gang’s arsenal. In the current state, security expert Kevin Beaumont estimates that more than 19,000 devices are at risk of being attacked.

Lorenz Ransomware Group

Since December 2020, the Lorenz ransomware group has been targeting enterprise organizations worldwide. Every victim is requested to pay a ransom of hundreds of thousands of dollars.

It is important to note that the Lorenz encryptor is the same one that was used by ThunderCrypt, which was previously used in ransomware operations.

As part of this gang’s crime spree, the data stolen from their victims before encryption is sold to other threat actors, as a means of controlling their victims.

The stolen data will be leaked as RAR archives with password protection if the ransom is not paid. To provide public access to the stolen files through the leaks, Lorenz also provides the password required to access the leaked archives.

You can find the IOCs here.

Recommendations

Here below we have mentioned all the recommendations recommended by the cybersecurity analysts:-

  • Upgrade to MiVoice Connect Version R19.3
  • Scan External Appliances and Web Applications
  • Do Not Expose Critical Assets Directly to the Internet
  • Configure PowerShell Logging
  • Configure Off-Site Logging
  • Make sure to take backups
  • Limit the Blast Radius of Potential Attacks

Download Free SWG – Secure Web Filtering –Free E-book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.