Chris Swagler | September 20th, 2022

The Lorenz ransomware group is exploiting a critical vulnerability in Mitel’s MiVoice VoIP appliance to breach companies using their phone systems for initial access into their networks and commit double-extortion attacks. Threat hunters discovered the new tactic after noticing a significant overlap with Tactics, Techniques, and Procedures (TTPs) connected to ransomware attacks exploiting the CVE-2022-29499 bug gaining initial access. Even though the incidents weren’t directly connected to a specific ransomware group, there are similarities in malicious activities linking to the Lorenz group.

The security researchers revealed that the origins of the malicious activity came from a Mitel appliance sitting on the network perimeter. The Lorenz ransomware group will wait a month after breaching a network before launching additional ransomware activities. When threat actors return to the Mitel device, they interact with a Web shell called “pdf import export.php.” Lorenz obtains a reverse shell by exploiting CVE-2022-29499, a remote code execution vulnerability affecting the Mitel Service Appliance component of MiVoice Connect, and used Chisel as a tunneling tool to pivot into the environment. Additionally, the group creates a hidden directory using the Mitel device’s command line interface and downloads a compiled binary of Chisel proxy utility.

Threat actors will rename the Chisel binary to “mem,” unzip it, and execute the binary to connect it back to a Chisel server listening at hxxps[:/]137.184.181[.]252[:]8443. Lorenz bypassed TLS certificate verification by converting the client into a SOCKS proxy. Lorenz, once on the network, obtains credentials for two privileged administrator accounts, one with local admin privilege and the other with domain admin privileges, then move laterally through environments using Remote Desktop Protocol (RDP) and then to a domain controller. The group uses FileZilla to exfiltrate data for double-extortion purposes before encrypting files using Lorenz ransomware on ESXi.

The attacks demonstrate a trend of threat actors using lesser-known and under-monitored devices to gain access to networks and conduct additional nefarious activities to avoid detection. In today’s landscape, numerous companies are monitoring critical assets, including domain controllers and web servers, however, tend to leave VoIP and Internet of Things (IoT) devices unmonitored, allowing threat actors to gain access to environments without being detected. According to researchers, the activities highlight how important it is for companies to monitor all external-facing devices for potential malicious activities, including VoIP and IoT devices.

Since December 2020, the Lorenz ransomware group has been targeting global companies and launching double extortion tactics by exfiltrating victims’ data and threatening to expose their data online if victims refuse to pay the ransom demand. If victims don’t pay the ransom demands the stolen data is leaked as password-protected RAR archives, Lorenz will provide access to the leaked archives with a password allowing public access to stolen files. Recently, the ransomware group has been targeting small and medium-sized businesses (SMBs) in the United States.

According to a security expert, Mitel VoIP products are used by organizations in global critical sectors, including government agencies, with over 19,000 devices vulnerable to internet-based attacks. Mitel addressed the vulnerability by issuing security patches in early June 2022, following the April release of a remediation script for affected MiVoice Connect versions. Recently, threat actors used other security vulnerabilities in Mitel devices to launch massive DDoS amplification attacks.

With ransomware groups looking for new alternative methods to breach corporate data networks, including phone systems, it’s important for high-profile companies to always remain alert to the current threat landscape and regularly update their network security infrastructure to prevent potential cyberattacks. At SpearTip, our advisory services allow our certified engineers to compare technology and internal personnel to discover blind spots in companies that can lead to significant compromises.

With firewall review, our engineers, along with a skilled penetration tester, analyze the configurations and interactions of companies’ network infrastructure and discover vulnerabilities in firewall systems allowing companies to dedicate their valuable resources to evaluate and prioritize fixes by providing visibility of actual network gaps. ShadowSpear Threat Hunting is a pre-breach step in which our engineers evaluate the effectiveness of current security measures, including phone systems, to determine the overall health of an environment and prevent breaches.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.