The Lorenz ransomware group was seen exploiting a critical-severity vulnerability in Mitel MiVoice VoIP appliance for initial access into a victim’s network, cybersecurity firm Arctic Wolf reports.
Active since at least 2021, the Lorenz ransomware gang has been engaging in double-extortion activities: in addition to encrypting a victim’s files, the group exfiltrates data to pressure the victim into paying the ransom.
Last year, Lorenz was blamed for a cyberattack against electronic data interchange (EDI) provider Commport Communications. In 2022, the group was seen targeting small and medium businesses (SMBs) in the United States, China, and Mexico.
As part of a recent attack, Arctic Wolf Labs says, Lorenz exploited CVE-2022-29499, a remote code execution bug in MiVoice Connect, to gain a reverse shell to the victim’s network.
The observed tactics, tools, and procedures (TTPs) resemble those in a June report from CrowdStrike detailing a ransomware gang’s intrusion that exploited the same vulnerability.
After initial compromise, Lorenz deployed a copy of the open source TCP tunneling tool Chisel and used it to move laterally in the environment.
However, Arctic Wolf Labs notes that the threat actor waited for about one month after compromising the Mitel device until performing any other malicious operations.
“We have medium confidence that the webshell was placed onto the device during the initial exploitation. This is based on no additional exploitation activity being observed upon returning to the Mitel device,” the cybersecurity firm notes.
Lorenz was seen using known tools to perform credential dumping and the follow-up network and domain enumeration activities. The gang then moved laterally using compromised credentials for two privileged administrator accounts, including one with domain admin privileges.
Prior to encrypting the victim’s files, the group exfiltrated data from the environment using the file-sharing application FileZIlla. It then used the legitimate BitLocker tool to encrypt the victim’s files, by executing a crafted file directly on the domain controller.
“Although Lorenz primarily leveraged BitLocker for encryption, we observed a select few ESXi hosts with Lorenz ransomware,” Arctic Wolf Labs says.
Organizations are advised to upgrade to Mitel MiVoice Connect version R19.3, which was released in July 2022 with patches for CVE-2022-29499.
Related: QNAP Warns of New ‘Deadbolt’ Ransomware Attacks Targeting NAS Users
Related: Mitel Devices Abused for DDoS Vector With Record-Breaking Amplification Ratio
Related: PetitPotam Vulnerability Exploited in Ransomware Attacks
More from Ionut Arghire
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
- European Cybersecurity Firm Sekoia.io Raises $37.5 Million
- GitLab Security Update Patches Critical Vulnerability
- Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
