Lorenz ransomware slips through VoIP phone vulnerability 

Lorenz ransomware slips through VoIP phone vulnerability

Share post

Arctic Wolf recently investigated a Lorenz ransomware attack that used a vulnerability in the Mitel MiVoice VoIP appliance (CVE-2022-29499) for first access and Microsoft's BitLocker Drive Encryption for data encryption. Users of the VoIO solution should urgently run the security patches.

Lorenz is a ransomware group that has been active since February 2021 at the latest and, like many ransomware groups, exfiltrates data from its attack target before encrypting the systems. In the most recent quarter, the group primarily targeted small and medium-sized businesses in the United States, but organizations in China and Mexico were also hit.


SMEs particularly affected

The Arctic Wolf investigation led to the following findings: The Arctic Wolf Labs team suspects that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access. Thereafter, the group waited almost a month after gaining initial access to conduct further activities.

During the actions, the Lorenz group exfiltrated data using the FileZilla FTP tool. The victim's data was then encrypted via BitLocker and Lorenz Ransomware on ESXi. As noted by the experts, the group proceeded with a high level of operational security (OPSEC). Experts made other points


  • Ransomware groups continue to use Living Off the Land binaries (LOLBins) and gain access to 0day exploits.
  • Process and PowerShell logging can greatly assist in the appropriate response to an incident and may help decrypt encrypted files.

Users should update to MiVoice Connect version R19.3

Back in July 2022, Mitel released MiVoice Connect version R19.3, which completely fixes CVE-2022-29499. Arctic Wolf recommend upgrading to version R19.3 to prevent potential exploitation of this vulnerability. On April 19, 2022, Mitel provided a script for versions 19.2 SP3 and earlier and R14.x and earlier as a workaround before the R19.3 release.

Artic Wolf provides a detailed technical description in his blog.

More at Sophos.com


About Arctic Wolf

Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.


Matching articles on the topic

Vulkan files: Russia's cyber army collects vulnerabilities

An evaluation of the Vulkan files by many media and journalists shows that Russia's secret services FSB, GRU and SWR commission domestic companies ➡ Read more

BSI: IT security check of medical practices

The Health Situation Report 2022 from the BSI shows: The security situation in the network of the telematics infrastructure (TI) is very secure thanks to strict specifications. ➡ Read more

VOIP/PBX software 3CX abused for sideloading attack

A trojanized version of the popular phone system VOIP/PBX software 3CX is currently making headlines. The business phone system is used by companies in 190 ➡ Read more

Cyber ​​attack on Helmholtz Zentrum München

As early as March 15, the Helmholtz Zentrum München could no longer be reached. A cyber attack paralyzed everything. ➡ Read more

Teamdrive with new version

The new version 5 of the cloud application TeamDrive is available for download. According to the manufacturer, TeamDrive 5 has over 50 new ones ➡ Read more

Ransomware: Attack on Schweizer Medienverlag and NZZ

The Neue Züricher Zeitung - NZZ reported an attack on their network a few days ago and was therefore unable to ➡ Read more

Report: IT leaders believe XDR is necessary

A new study underscores the uncertainty surrounding XDR definition, implementation and required resources. The ExtraHop report shows that 78 percent ➡ Read more

The risk situation is completely under control

Centralized monitoring and automated threat prevention across all network security and endpoint security products: With ThreatSync, WatchGuard now offers a comprehensive XDR solution as ➡ Read more