Headline
Lorenz Ransomware Intrusion: How a VoIP Vulnerability Was Leveraged for Initial Access
By Deeba Ahmed According to researchers, the Lorenz ransomware variant targeted an unnamed organization by exploiting MiVoice Connect’s Mitel Service Appliance component. This is a post from HackRead.com Read the original post: Lorenz Ransomware Intrusion: How a VoIP Vulnerability Was Leveraged for Initial Access
The IT security researchers at Arctic Wolf Labs have issued a warning that attackers could exploit a flaw in a widely used VoIP software to gain initial access to an entity’s corporate network.
Per their research, the Lorenz ransomware variant targeted an unnamed organization by exploiting MiVoice Connect’s Mitel Service Appliance component. Attackers reportedly utilized a remote code execution bug (CVE-2022-29499) to get a reverse shell.
The same zero-day bug was previously reported by CrowdStrike in their blog post, explaining that this bug was used along with the Mitel vulnerability, leading to a ransomware intrusion attempt.
Mitel later patched the vulnerability. However, customers possibly didn’t pay heed to the company’s urges to implement the fix.
List of companies that Lorenz Ransomware gang claims to have targeted so far. (Image: Hackread.com from Lorenz Ransomware gang’s website)
Arctic Wolf’s report read that initial malicious activity emerged from a Mitel appliance installed on the network perimeter. The ransomware operators exploited the abovementioned bug, and after obtaining a reverse shell, they used the Chisel tunneling tool to infiltrate the network.
According to researchers, the attackers waited a month after gaining initial access and then performed lateral movement. They utilized FileZilla for data exfiltration and performed encryption through BitLocker. Lastly, they launched Lorenz ransomware on ESXi systems.
This indicates that threat actors increasingly target lesser-known/monitored assets to evade detection. Hence, monitoring critical assets isn’t enough in this scenario, and security teams must make sure all internet-exposed devices are secured properly to prevent malicious activity.
More VoIP Security News
- Two backdoors detected in Auerswald VoIP system
- Hackers actively compromising VoIP phone system for monetization
- Canadian firm VoIP.ms hit by non-stop extortion-based DDoS attacks
- CDRThief malware targets Linux VoIP softwitches to steal call records
- REvil ransomware gang hits UK ITSPs with extortion-based DDoS attacks
In their blog post, Arctic Wolf’s researchers warned that,
“In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and IoT devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected.”
Moreover, organizations must upgrade to MiVoice Connect Version R19.3, avoid exposing critical assets to the internet directly, scan web apps, and configure PowerShell logging. They must mandatorily set backups, configure off-site logging, and limit the blast radius of probable threats.
More Ransomware News
- Lessons from the Holy Ghost Ransomware Attacks
- LockBit ransomware gang blames victim for DDoS attack on its website
- Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US
- GoodWill Ransomware demands food for the poor to decrypt locked files
- PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks
Related news
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
Categories: News Categories: Ransomware Tags: Lorenz Tags: ransomware Tags: CVE-2022-29499 Tags: Mitel Tags: backdoor Tags: web shell A recent case-study showed once again that timely patching is important, but it's not a silver bullet for stopping ransomware. (Read more...) The post Timely patching is good, but sometimes it's not enough appeared first on Malwarebytes Labs.
The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. "Initial malicious activity originated from a Mitel appliance sitting on the network perimeter," researchers from cybersecurity firm Arctic Wolf said in a report
The ransomware gang has been seen exploiting a Mitel RCE flaw discovered in VoIP devices in April (and patched in July) to perform double-extortion attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an
Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.
A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment. The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.