Headline
Timely patching is good, but sometimes it's not enough
Categories: News Categories: Ransomware Tags: Lorenz
Tags: ransomware
Tags: CVE-2022-29499
Tags: Mitel
Tags: backdoor
Tags: web shell
A recent case-study showed once again that timely patching is important, but it’s not a silver bullet for stopping ransomware.
(Read more…)
The post Timely patching is good, but sometimes it’s not enough appeared first on Malwarebytes Labs.
Posted: January 15, 2023 by
Ransomware gangs have shown that they can play a long game, so it shouldn’t come as a surprise to learn of one prepared to wait months to make use of a compromised system.
S-RM’s Incident Response team shared details of a campaign attributed to the Lorenz ransomware group that exploited a specific vulnerability to plant a backdoor that wasn’t used until months later.
Lorenz
The Lorenz ransomware group first appeared on the radar in 2021. They have targeted organizations all over the world and are known to specialize in VoIP vulnerabilities to access their victims’ environments. Like many ransomware groups, they steal their victim’s data before encrypting it, so they can add the threat of leaked data to the threat of encryption making it irrecoverable.
Vulnerability
The researchers found in a specific case that the Lorenz group was able to exploit a vulnerability listed as CVE-2022-29499 a week prior to it being patched. This vulnerability, which has a CVSS score of 9.8 out of 10, exists in the Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 and allows remote code execution because of incorrect data validation. Essentially the vulnerability allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution.
Exploited
After a vulnerability has been discovered and patched, it is not uncommon for organizations to wait for a convenient moment to apply the patch. But as soon as a patch is made available threat actors have the opportunity to reverse engineer it, find the vulnerability, create an exploit, and then scan for vulnerable systems. Its exactly this window of opportunity that the Lorenz ransomware group managed to exploit, in order to install a web shell on the vulnerable system. This web shell has a unique name and requires credentials to access the system.
The shell was placed some five months before the actual ransomware event, and sat dormant throughout that period. Whether the backdoor was created by an Initial Access Broker (IAB) and then sold on to the ransomware group or whether the Lorenz group created it themselves is unknown. But the results is the same.
Why wait?
The time between the compromise and the deployment of the ransomware can be explained by several theories.
- The backdoor was planted by an IAB that waited for the right offer to sell off their access to the compromised system.
- When an easy to exploit vulnerability is available, a group will first compromise as many systems as possible and later work their way through the list of victims.
- With the initial breach the threat actor replaced several key artefacts on the perimeter CentOS system, effectively blocking the creation of any additional logging or audit data. After a while old logs will be deleted and no new ones are created, which improves the attacker’s chances of going in undetected.
Patching
Besides showing us how important it is to patch in a timely fashion, this vulnerability has shown us that patching alone is not always enough.
Victims were made with this vulnerability before there was a patch available. The vulnerability was found by investigating a suspected ransomware intrusion attempt, so there was at least one group that was able to use the vulnerability when it was still a zero-day.
The exploit details were published in June and the victim patched in July but was compromised a week prior to patching. So, the backdoor was planted during the time between the patch being released and it actually getting installed, the so called "patch gap".
Monitoring
So, what else do we need to do in case we patch a vulnerable system? A difficult question with no easy cure-all answer. But there are some pieces of advice we can give:
- Keep the patch gap as small as possible. We know it’s not easy, but it helps a lot.
- Check vulnerable devices before and after patching for indicators of compromise (IOCs). They may not always be available, but when it concerns a vulnerability that’s known to have been exploited you may be able to find the IOCs or figure out where to look.
- Constant monitoring. If you didn’t find the backdoor, make sure you have the capabilities to find the tools threat actors use for lateral movement, and block the final payload (ransomware in this case).
- Look for unauthorized access or atypical behavior originating from the recently patched device/system.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
RELATED ARTICLES
Related news
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. "Initial malicious activity originated from a Mitel appliance sitting on the network perimeter," researchers from cybersecurity firm Arctic Wolf said in a report
By Deeba Ahmed According to researchers, the Lorenz ransomware variant targeted an unnamed organization by exploiting MiVoice Connect’s Mitel Service Appliance component. This is a post from HackRead.com Read the original post: Lorenz Ransomware Intrusion: How a VoIP Vulnerability Was Leveraged for Initial Access
The ransomware gang has been seen exploiting a Mitel RCE flaw discovered in VoIP devices in April (and patched in July) to perform double-extortion attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an
Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.
A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment. The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.