The Lorenz ransomware group was seen exploiting a critical-severity vulnerability in Mitel MiVoice VoIP appliance for initial access into a victim’s network, cybersecurity firm Arctic Wolf reports.
Active since at least 2021, the Lorenz ransomware gang has been engaging in double-extortion activities: in addition to encrypting a victim’s files, the group exfiltrates data to pressure the victim into paying the ransom.
Last year, Lorenz was blamed for a cyberattack against electronic data interchange (EDI) provider Commport Communications. In 2022, the group was seen targeting small and medium businesses (SMBs) in the United States, China, and Mexico.
As part of a recent attack, Arctic Wolf Labs says, Lorenz exploited CVE-2022-29499, a remote code execution bug in MiVoice Connect, to gain a reverse shell to the victim’s network.
The observed tactics, tools, and procedures (TTPs) resemble those in a June report from CrowdStrike detailing a ransomware gang’s intrusion that exploited the same vulnerability.
After initial compromise, Lorenz deployed a copy of the open source TCP tunneling tool Chisel and used it to move laterally in the environment.
However, Arctic Wolf Labs notes that the threat actor waited for about one month after compromising the Mitel device until performing any other malicious operations.
“We have medium confidence that the webshell was placed onto the device during the initial exploitation. This is based on no additional exploitation activity being observed upon returning to the Mitel device,” the cybersecurity firm notes.
Lorenz was seen using known tools to perform credential dumping and the follow-up network and domain enumeration activities. The gang then moved laterally using compromised credentials for two privileged administrator accounts, including one with domain admin privileges.
Prior to encrypting the victim’s files, the group exfiltrated data from the environment using the file-sharing application FileZIlla. It then used the legitimate BitLocker tool to encrypt the victim’s files, by executing a crafted file directly on the domain controller.
“Although Lorenz primarily leveraged BitLocker for encryption, we observed a select few ESXi hosts with Lorenz ransomware,” Arctic Wolf Labs says.
Organizations are advised to upgrade to Mitel MiVoice Connect version R19.3, which was released in July 2022 with patches for CVE-2022-29499.
Related: QNAP Warns of New ‘Deadbolt’ Ransomware Attacks Targeting NAS Users
Related: Mitel Devices Abused for DDoS Vector With Record-Breaking Amplification Ratio
Related: PetitPotam Vulnerability Exploited in Ransomware Attacks