The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities.
“Initial malicious activity originated from a Mitel appliance sitting on the network perimeter,” researchers from cybersecurity firm Arctic Wolf said in a report published this week.
“Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunneling tool to pivot into the environment.”
Lorenz, like many other ransomware groups, is known for double extortion by exfiltrating data prior to encrypting systems, with the actor targeting small and medium businesses (SMBs) located in the U.S., and to a lesser extent in China and Mexico, since at least February 2021.
Calling it an “ever-evolving ransomware,” Cybereason noted that Lorenz “is believed to be a rebranding of the ‘.sZ40’ ransomware that was discovered in October 2020.”
The weaponization of Mitel VoIP appliances for ransomware attacks mirrors recent findings from CrowdStrike, which disclosed details of a ransomware intrusion attempt that leveraged the same tactic to achieve remote code execution against an unnamed target.
Mitel VoIP products are also a lucrative entry point in light of the fact that there are nearly 20,000 internet-exposed devices online, as revealed by security researcher Kevin Beaumont, rendering them vulnerable to malicious attacks.
In one Lorenz ransomware attack investigated by Arctic Wolf, the threat actors weaponized the remote code execution flaw to establish a reverse shell and download the Chisel proxy utility.
This implies that the initial access was either facilitated with the help of an initial access broker (IAB) that’s in possession of an exploit for CVE-2022-29499 or that the threat actors have the ability to do so themselves.
What’s also notable is that the Lorenz group waited for almost a month after obtaining initial access to conduct post-exploitation actions, including establishing persistence by means of a web shell, harvesting credentials, network reconnaissance, privilege escalation, and lateral movement.
The compromise eventually culminated in the exfiltration of data using FileZilla, following which the hosts were encrypted using Microsoft’s BitLocker service, underscoring the continued abuse of living-off-the-land binaries (LOLBINs) by adversaries.
“Monitoring just critical assets is not enough for organizations,” the researchers said, adding “security teams should monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices.”
“Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection.”