Lorenz ransomware slips through VoIP phone vulnerability 

Lorenz ransomware slips through VoIP phone vulnerability

Share post

Arctic Wolf recently investigated a Lorenz ransomware attack that used a vulnerability in the Mitel MiVoice VoIP appliance (CVE-2022-29499) for first access and Microsoft's BitLocker Drive Encryption for data encryption. Users of the VoIO solution should urgently run the security patches.

Lorenz is a ransomware group that has been active since February 2021 at the latest and, like many ransomware groups, exfiltrates data from its attack target before encrypting the systems. In the most recent quarter, the group primarily targeted small and medium-sized businesses in the United States, but organizations in China and Mexico were also hit.

SMEs particularly affected

The Arctic Wolf investigation led to the following findings: The Arctic Wolf Labs team suspects that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access. Thereafter, the group waited almost a month after gaining initial access to conduct further activities.

During the actions, the Lorenz group exfiltrated data using the FileZilla FTP tool. The victim's data was then encrypted via BitLocker and Lorenz Ransomware on ESXi. As noted by the experts, the group proceeded with a high level of operational security (OPSEC). Experts made other points

  • Ransomware groups continue to use Living Off the Land binaries (LOLBins) and gain access to 0day exploits.
  • Process and PowerShell logging can greatly assist in the appropriate response to an incident and may help decrypt encrypted files.

Users should update to MiVoice Connect version R19.3

Back in July 2022, Mitel released MiVoice Connect version R19.3, which completely fixes CVE-2022-29499. Arctic Wolf recommend upgrading to version R19.3 to prevent potential exploitation of this vulnerability. On April 19, 2022, Mitel provided a script for versions 19.2 SP3 and earlier and R14.x and earlier as a workaround before the R19.3 release.

Artic Wolf provides a detailed technical description in his blog.

More at Sophos.com


About Arctic Wolf

Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.


Matching articles on the topic

Detect and defend against threats

In today's digitalized business landscape, combating threats requires a continuous, proactive and holistic approach. Open Extended ➡ Read more

Backup for Microsoft 365 – new extension

A simple and flexible Backup-as-a-Service (BaaS) solution extends data backup and ransomware recovery functionality for Microsoft 365, reducing downtime ➡ Read more

Cloud security: This is important in 2024

In the past, experts were not aware of drastic events such as the pandemic or wars. An expert in ➡ Read more

Tips for implementing the NIS2 directive

The correct use of cyber security is now more important than ever. Due to increasing threats, the risk of attacks is constantly growing. The ➡ Read more

Security Cloud Enterprise Edition as a managed service

“Cyber ​​Resilience as a Service” enables companies of all sizes to obtain Rubrik’s portfolio for more data security from the MSP SVA. category ➡ Read more

Immutable memory protects against attacks

A survey of cybersecurity experts from companies with more than 1.000 employees confirms that, at 46 percent, almost half of the ➡ Read more

Ransomware attack on IT service providers

A data center owned by the Finnish IT service provider Tietoevry located in Sweden was recently attacked with ransomware. Numerous companies, authorities and universities are ➡ Read more

Global Threats: Data Protection for Local Data

Ransomware attacks, data stealer attacks, exploits for vulnerabilities: Even if the attacks are global, they are aimed at a local part ➡ Read more