The cybercriminals behind the Lorenz ransomware are exploiting a critical security flaw in the Mitel MiVoice VOIP solution to compromise corporate networks. Therefore, the telephony system is used for the initial access to the target infrastructure.
Security researchers at Arctic Wolf Labs noticed ransomware attacks exploiting the security flaw CVE-2022-29499 (Mitel MiVoice Connect). Although these incidents are not linked to a specific ransomware gang, Arctic Wolf Labs claims that these malicious activities are very similar to those usually carried out by the Lorenz gang.
According to them, the initial access on the compromised infrastructure comes from a Mitel device connected to the network and which is not protected against the CVE-2022-29499 vulnerability: “Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, which allows obtaining a reverse shell to then use Chisel as a tunneling tool to pivot in the environment.“.
Mitel products are very popular in business, and it is estimated that currently, there are at least 19,000 Mitel devices exposed on the internet, including in France, which can be targeted by attacks. In any case, this is what we can see by carrying out a search on Shodan. The good news is thatthere is an official patch which is available since June 2022and which came to replace a script that Mitel had proposed in April, while waiting for the patch.
The Lorenz ransomware gang has been active since at least December 2020 and targets businesses around the world, demanding hundreds of thousands of dollars in ransom each time. Beyond encrypting data during attacks, this gang has a habit of exfiltrating data as well, adding extra pressure and trying to convince the company to pay the ransom.
#Lorenz #ransomware #exploits #flaw #Mitel #system