Home Security Lorenz Ransomware Exploit Mitel VoIP Methods to Breach Enterprise Networks

Lorenz Ransomware Exploit Mitel VoIP Methods to Breach Enterprise Networks

by crpt os


The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities.

“Initial malicious activity originated from a Mitel appliance sitting on the network perimeter,” researchers from cybersecurity firm Arctic Wolf said in a report published this week.

“Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunneling tool to pivot into the environment.”

CyberSecurity

Lorenz, like many other ransomware groups, is known for double extortion by exfiltrating data prior to encrypting systems, with the actor targeting small and medium businesses (SMBs) located in the U.S., and to a lesser extent in China and Mexico, since at least February 2021.

Calling it an “ever-evolving ransomware,” Cybereason noted that Lorenz “is believed to be a rebranding of the ‘.sZ40’ ransomware that was discovered in October 2020.”

The weaponization of Mitel VoIP appliances for ransomware attacks mirrors recent findings from CrowdStrike, which disclosed details of a ransomware intrusion attempt that leveraged the same tactic to achieve remote code execution against an unnamed target.

Mitel VoIP products are also a lucrative entry point in light of the fact that there are nearly 20,000 internet-exposed devices online, as revealed by security researcher Kevin Beaumont, rendering them vulnerable to malicious attacks.

In one Lorenz ransomware attack investigated by Arctic Wolf, the threat actors weaponized the remote code execution flaw to establish a reverse shell and download the Chisel proxy utility.

This implies that the initial access was either facilitated with the help of an initial access broker (IAB) that’s in possession of an exploit for CVE-2022-29499 or that the threat actors have the ability to do so themselves.

CyberSecurity

What’s also notable is that the Lorenz group waited for almost a month after obtaining initial access to conduct post-exploitation actions, including establishing persistence by means of a web shell, harvesting credentials, network reconnaissance, privilege escalation, and lateral movement.

The compromise eventually culminated in the exfiltration of data using FileZilla, following which the hosts were encrypted using Microsoft’s BitLocker service, underscoring the continued abuse of living-off-the-land binaries (LOLBINs) by adversaries.

“Monitoring just critical assets is not enough for organizations,” the researchers said, adding “security teams should monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices.”

“Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection.”





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex