Lorenz ransomware slips through VoIP phone vulnerability 

Lorenz ransomware slips through VoIP phone vulnerability

Share post

Arctic Wolf recently investigated a Lorenz ransomware attack that used a vulnerability in the Mitel MiVoice VoIP appliance (CVE-2022-29499) for first access and Microsoft's BitLocker Drive Encryption for data encryption. Users of the VoIO solution should urgently run the security patches.

Lorenz is a ransomware group that has been active since February 2021 at the latest and, like many ransomware groups, exfiltrates data from its attack target before encrypting the systems. In the most recent quarter, the group primarily targeted small and medium-sized businesses in the United States, but organizations in China and Mexico were also hit.

SMEs particularly affected

The Arctic Wolf investigation led to the following findings: The Arctic Wolf Labs team suspects that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access. Thereafter, the group waited almost a month after gaining initial access to conduct further activities.

During the actions, the Lorenz group exfiltrated data using the FileZilla FTP tool. The victim's data was then encrypted via BitLocker and Lorenz Ransomware on ESXi. As noted by the experts, the group proceeded with a high level of operational security (OPSEC). Experts made other points

  • Ransomware groups continue to use Living Off the Land binaries (LOLBins) and gain access to 0day exploits.
  • Process and PowerShell logging can greatly assist in the appropriate response to an incident and may help decrypt encrypted files.

Users should update to MiVoice Connect version R19.3

Back in July 2022, Mitel released MiVoice Connect version R19.3, which completely fixes CVE-2022-29499. Arctic Wolf recommend upgrading to version R19.3 to prevent potential exploitation of this vulnerability. On April 19, 2022, Mitel provided a script for versions 19.2 SP3 and earlier and R14.x and earlier as a workaround before the R19.3 release.

Artic Wolf provides a detailed technical description in his blog.

More at Sophos.com

 


About Arctic Wolf

Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.


 

Matching articles on the topic

SIEM solution with more automation

With the motto less routine, more automation, Kaspersky has expanded its SIEM solution with new features. Faster threat detection, more automation and ➡ Read more

Three quarters of ransomware victims pay ransom

An international survey of 900 IT and security managers shows that 83 percent of companies were the target of ransomware attacks last year ➡ Read more

Risks to SaaS data from cyberattacks

According to Statista, 70 percent of companies with up to 500 employees use SaaS or cloud computing-based application software. ➡ Read more

Ransomware: Above-average number of attacks in the education sector

The number of compromised backups and data encryption rates due to ransomware in the education sector have increased compared to the previous year. The recovery costs after ➡ Read more

Narrative attacks: false facts, real consequences

The danger is diffuse and difficult to grasp: While companies increasingly have to find their way in the complex landscape of cyber attacks, ➡ Read more

Secure digital identity ensures digital trust

Through a decentralized public key infrastructure (PKI), companies use different procedures. There is no central tracking of certifications. ➡ Read more

TotalAI Platform: Vulnerability Assessment of AI Workloads

The new TotalAI solution enables holistic detection and vulnerability assessment of AI workloads to detect data leaks, injection issues and model theft. ➡ Read more

Microsoft 365 Backup Storage optimizes data security

Another cybersecurity provider is integrating Microsoft 365 Backup Storage into its cloud platform. This enables cost-effective monitoring and management of backups and ➡ Read more