Lorenz Ransomware Intrusion: How a VoIP Vulnerability Was Leveraged for Initial Access

The IT security researchers at Arctic Wolf Labs have issued a warning that attackers could exploit a flaw in a widely used VoIP software to gain initial access to an entity’s corporate network.

Per their research, the Lorenz ransomware variant targeted an unnamed organization by exploiting MiVoice Connect’s Mitel Service Appliance component. Attackers reportedly utilized a remote code execution bug (CVE-2022-29499) to get a reverse shell.

The same zero-day bug was previously reported by CrowdStrike in their blog post, explaining that this bug was used along with the Mitel vulnerability, leading to a ransomware intrusion attempt.

Mitel later patched the vulnerability. However, customers possibly didn’t pay heed to the company’s urges to implement the fix.

List of companies that Lorenz Ransomware gang claims to have targeted so far. (Image: Hackread.com from Lorenz Ransomware gang’s website)

Arctic Wolf’s report read that initial malicious activity emerged from a Mitel appliance installed on the network perimeter. The ransomware operators exploited the abovementioned bug, and after obtaining a reverse shell, they used the Chisel tunneling tool to infiltrate the network.

According to researchers, the attackers waited a month after gaining initial access and then performed lateral movement. They utilized FileZilla for data exfiltration and performed encryption through BitLocker. Lastly, they launched Lorenz ransomware on ESXi systems.

This indicates that threat actors increasingly target lesser-known/monitored assets to evade detection. Hence, monitoring critical assets isn’t enough in this scenario, and security teams must make sure all internet-exposed devices are secured properly to prevent malicious activity.

More VoIP Security News

1. Two backdoors detected in Auerswald VoIP system
2. Hackers actively compromising VoIP phone system for monetization
3. Canadian firm VoIP.ms hit by non-stop extortion-based DDoS attacks
4. CDRThief malware targets Linux VoIP softwitches to steal call records
5. REvil ransomware gang hits UK ITSPs with extortion-based DDoS attacks

In their blog post, Arctic Wolf’s researchers warned that,

“In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and IoT devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected.”

Moreover, organizations must upgrade to MiVoice Connect Version R19.3, avoid exposing critical assets to the internet directly, scan web apps, and configure PowerShell logging. They must mandatorily set backups, configure off-site logging, and limit the blast radius of probable threats.

More Ransomware News

1. Lessons from the Holy Ghost Ransomware Attacks
2. LockBit ransomware gang blames victim for DDoS attack on its website
3. Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US
4. GoodWill Ransomware demands food for the poor to decrypt locked files
5. PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks