Lorenz Ransomware Penetrates Company Networks through Mitel VoIP Products

Lorenz and Mitel ransomware

Security firm Arctic Wolf has warned that Lorenz ransomware is exploiting a critical vulnerability in Mitel MiVoice VoIP devices to infiltrate corporate networks.

Let me remind you that we also wrote that Ransomware publishes data stolen from Cisco.

Lorenz has been active since at least 2021 and is engaged in the usual double extortion: not only encrypting the files on the machines of its victims, but also stealing the data of the affected companies, and then threatening to release them if they do not receive a ransom.

Last year, the group was credited with an attack on the EDI provider Commport Communications, and this year, researchers have recorded Lorenz activity in the US, China and Mexico, where hackers attacked small and medium-sized businesses.

As Arctic Wolf analysts now report, the hack group is exploiting the CVE-2022-29499 vulnerability, discovered and patched in June 2022. This bug in Mitel MiVoice VoIP devices allows remote arbitrary code execution (RCE) and the creation of a reverse shell on the victim’s network.

Kevin Beaumont
Kevin Beaumont

Mitel VoIP solutions are used by organizations and governments in mission-critical sectors around the world. According to information security expert Kevin Beaumont, there are currently more than 19,000 devices open to attacks over the Internet.

Read also our article on Methods Hackers Use to Infect You Ransomware.

In general, Lorenz’s tactics are similar to those described in the report of the CrowdStrike company, which discovered this bug and monitored the ransomware that used it. So, after the initial compromise, Lorenz deploys a copy of the Chisel open-source tool for TCP tunneling on the affected company’s network and uses it to move sideways.

At the same time, Arctic Wolf experts note that after a Mitel device is compromised, hackers wait about a month, and only then begin to develop their attack further.

The researchers write that hackers use well-known and widely used tools to create a dump of credentials and subsequent reconnaissance. The grouping then begins lateral movement using compromised credentials (including those from a hacked domain administrator account).

Before encrypting the victim’s files, Lorenz steals information using the FileZIlla file-sharing application. BitLocker is used to encrypt the victim’s files afterwards.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *