The Lorenz ransomware gang now uses a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises, using their phone systems for initial access to their corporate networks.
Arctic Wolf Labs security researchers spotted this new tactic after observing a significant overlap with Tactics, Techniques, and Procedures (TTPs) tied to ransomware attacks exploiting the CVE-2022-29499 bug for initial access, as Crowdstrike reported in June.
While these incidents weren’t linked to a specific ransomware gang, Arctic Wolf Labs was able to attribute similar malicious activity to the Lorenz gang with high confidence.
“Initial malicious activity originated from a Mitel appliance sitting on the network perimeter,” the security researchers revealed in a report published today.
“Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunnelling tool to pivot into the environment.”
This is an important addition to the gang’s arsenal, given that Mitel Voice-over-IP (VoIP) products are used by organizations in critical sectors worldwide (including government agencies), with over 19,000 devices currently exposed to attacks over the Internet, per security expert Kevin Beaumont.
Mitel has addressed the vulnerability by releasing security patches in early June 2022 after releasing a remediation script for affected MiVoice Connect versions in April.
Threat actors recently exploited other security flaws impacting Mitel devices in record-breaking DDoS amplification attacks.
Who is Lorenz?
The Lorenz ransomware group has been targeting enterprise organizations worldwide since at least December 2020, demanding hundreds of thousands of dollars in ransom from each victim.
Michael Gillespie of ID Ransomware has told BleepingComputer that the Lorenz encryptor is the same as the one used by a previous ransomware operation known as ThunderCrypt.
This gang is also known for selling data stolen before encryption to other threat actors to pressure their victims into paying the ransom and selling access to its victims’ internal networks to other cybercriminals along with the stolen data.
If ransoms aren’t paid after leaking the stolen data as password-protected RAR archives, Lorenz also releases the password to access the leaked archives to provide public access to the stolen files.
In June 2021, Dutch cybersecurity firm Tesorion released a free Lorenz ransomware decryptor that can be used to recover some file types, including Office documents, PDF files, images, and videos.
The list of previous victims includes Hensoldt, a multinational defense contractor headquartered in Germany, and Canada Post, the primary postal operator in Canada.