Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Lorenz Ransomware Gang Exploits Mitel VoIP Appliance Vulnerability in Attacks

The Lorenz ransomware group was seen exploiting a critical-severity vulnerability in Mitel MiVoice VoIP appliance for initial access into a victim’s network, cybersecurity firm Arctic Wolf reports.

The Lorenz ransomware group was seen exploiting a critical-severity vulnerability in Mitel MiVoice VoIP appliance for initial access into a victim’s network, cybersecurity firm Arctic Wolf reports.

Active since at least 2021, the Lorenz ransomware gang has been engaging in double-extortion activities: in addition to encrypting a victim’s files, the group exfiltrates data to pressure the victim into paying the ransom.

Last year, Lorenz was blamed for a cyberattack against electronic data interchange (EDI) provider Commport Communications. In 2022, the group was seen targeting small and medium businesses (SMBs) in the United States, China, and Mexico.

As part of a recent attack, Arctic Wolf Labs says, Lorenz exploited CVE-2022-29499, a remote code execution bug in MiVoice Connect, to gain a reverse shell to the victim’s network.

The observed tactics, tools, and procedures (TTPs) resemble those in a June report from CrowdStrike detailing a ransomware gang’s intrusion that exploited the same vulnerability.

After initial compromise, Lorenz deployed a copy of the open source TCP tunneling tool Chisel and used it to move laterally in the environment.

However, Arctic Wolf Labs notes that the threat actor waited for about one month after compromising the Mitel device until performing any other malicious operations.

Advertisement. Scroll to continue reading.

“We have medium confidence that the webshell was placed onto the device during the initial exploitation. This is based on no additional exploitation activity being observed upon returning to the Mitel device,” the cybersecurity firm notes.

Lorenz was seen using known tools to perform credential dumping and the follow-up network and domain enumeration activities. The gang then moved laterally using compromised credentials for two privileged administrator accounts, including one with domain admin privileges.

Prior to encrypting the victim’s files, the group exfiltrated data from the environment using the file-sharing application FileZIlla. It then used the legitimate BitLocker tool to encrypt the victim’s files, by executing a crafted file directly on the domain controller.

“Although Lorenz primarily leveraged BitLocker for encryption, we observed a select few ESXi hosts with Lorenz ransomware,” Arctic Wolf Labs says.

Organizations are advised to upgrade to Mitel MiVoice Connect version R19.3, which was released in July 2022 with patches for CVE-2022-29499.

Related: QNAP Warns of New ‘Deadbolt’ Ransomware Attacks Targeting NAS Users

Related: Mitel Devices Abused for DDoS Vector With Record-Breaking Amplification Ratio

Related: PetitPotam Vulnerability Exploited in Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.