Security
Headlines
HeadlinesLatestCVEs

Headline

Lorenz Ransomware Exploit Mitel VoIP Systems to Breach Business Networks

The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. “Initial malicious activity originated from a Mitel appliance sitting on the network perimeter,” researchers from cybersecurity firm Arctic Wolf said in a report

The Hacker News
#vulnerability#web#microsoft#rce#The Hacker News

The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities.

“Initial malicious activity originated from a Mitel appliance sitting on the network perimeter,” researchers from cybersecurity firm Arctic Wolf said in a report published this week.

“Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunneling tool to pivot into the environment.”

Lorenz, like many other ransomware groups, is known for double extortion by exfiltrating data prior to encrypting systems, with the actor targeting small and medium businesses (SMBs) located in the U.S., and to a lesser extent in China and Mexico, since at least February 2021.

Calling it an “ever-evolving ransomware,” Cybereason noted that Lorenz “is believed to be a rebranding of the ‘.sZ40’ ransomware that was discovered in October 2020.”

The weaponization of Mitel VoIP appliances for ransomware attacks mirrors recent findings from CrowdStrike, which disclosed details of a ransomware intrusion attempt that leveraged the same tactic to achieve remote code execution against an unnamed target.

Mitel VoIP products are also a lucrative entry point in light of the fact that there are nearly 20,000 internet-exposed devices online, as revealed by security researcher Kevin Beaumont, rendering them vulnerable to malicious attacks.

In one Lorenz ransomware attack investigated by Arctic Wolf, the threat actors weaponized the remote code execution flaw to establish a reverse shell and download the Chisel proxy utility.

This implies that the initial access was either facilitated with the help of an initial access broker (IAB) that’s in possession of an exploit for CVE-2022-29499 or that the threat actors have the ability to do so themselves.

What’s also notable is that the Lorenz group waited for almost a month after obtaining initial access to conduct post-exploitation actions, including establishing persistence by means of a web shell, harvesting credentials, network reconnaissance, privilege escalation, and lateral movement.

The compromise eventually culminated in the exfiltration of data using FileZilla, following which the hosts were encrypted using Microsoft’s BitLocker service, underscoring the continued abuse of living-off-the-land binaries (LOLBINs) by adversaries.

“Monitoring just critical assets is not enough for organizations,” the researchers said, adding “security teams should monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices.”

“Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related news

Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products

Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.

Timely patching is good, but sometimes it's not enough

Categories: News Categories: Ransomware Tags: Lorenz Tags: ransomware Tags: CVE-2022-29499 Tags: Mitel Tags: backdoor Tags: web shell A recent case-study showed once again that timely patching is important, but it's not a silver bullet for stopping ransomware. (Read more...) The post Timely patching is good, but sometimes it's not enough appeared first on Malwarebytes Labs.

Lorenz Ransomware Intrusion: How a VoIP Vulnerability Was Leveraged for Initial Access

By Deeba Ahmed According to researchers, the Lorenz ransomware variant targeted an unnamed organization by exploiting MiVoice Connect’s Mitel Service Appliance component. This is a post from HackRead.com Read the original post: Lorenz Ransomware Intrusion: How a VoIP Vulnerability Was Leveraged for Initial Access

Lorenz Ransomware Goes After SMBs via Mitel VoIP Phone Systems

The ransomware gang has been seen exploiting a Mitel RCE flaw discovered in VoIP devices in April (and patched in July) to perform double-extortion attacks.

CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an

Mitel VoIP Bug Exploited in Ransomware Attacks

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Hackers Exploit Mitel VoIP Zero-Day Bug to Deploy Ransomware

A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment. The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.