Arctic Wolf recently investigated a Lorenz ransomware attack that used a vulnerability in the Mitel MiVoice VoIP appliance (CVE-2022-29499) for first access and Microsoft's BitLocker Drive Encryption for data encryption. Users of the VoIO solution should urgently run the security patches.
Lorenz is a ransomware group that has been active since February 2021 at the latest and, like many ransomware groups, exfiltrates data from its attack target before encrypting the systems. In the most recent quarter, the group primarily targeted small and medium-sized businesses in the United States, but organizations in China and Mexico were also hit.
SMEs particularly affected
The Arctic Wolf investigation led to the following findings: The Arctic Wolf Labs team suspects that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access. Thereafter, the group waited almost a month after gaining initial access to conduct further activities.
During the actions, the Lorenz group exfiltrated data using the FileZilla FTP tool. The victim's data was then encrypted via BitLocker and Lorenz Ransomware on ESXi. As noted by the experts, the group proceeded with a high level of operational security (OPSEC). Experts made other points
- Ransomware groups continue to use Living Off the Land binaries (LOLBins) and gain access to 0day exploits.
- Process and PowerShell logging can greatly assist in the appropriate response to an incident and may help decrypt encrypted files.
Users should update to MiVoice Connect version R19.3
Back in July 2022, Mitel released MiVoice Connect version R19.3, which completely fixes CVE-2022-29499. Arctic Wolf recommend upgrading to version R19.3 to prevent potential exploitation of this vulnerability. On April 19, 2022, Mitel provided a script for versions 19.2 SP3 and earlier and R14.x and earlier as a workaround before the R19.3 release.
Artic Wolf provides a detailed technical description in his blog.
More at Sophos.com
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.