Security News
The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. Lorenz, like many other ransomware groups, is known for double extortion by exfiltrating data prior to encrypting systems, with the actor targeting small and medium businesses located in the U.S., and to a lesser extent in China and Mexico, since at least February 2021.
The Lorenz ransomware gang is exploiting a vulnerability in Mitel VoIP appliances to break corporate networks. Threat hunters with cybersecurity firm Arctic Wolf Labs recently found that Lorenz - a prolific group that has been around since at least early 2021 and lately is primarily targeting SMBs in the US, China, and Mexico - used a vulnerability in a MiVoice VoIP appliance from Mitel to get into a victim's network before deploying Microsoft's BitLocker Drive Encryption tool to encrypt the data.
Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP application and using it as a springboard plant malware on targeted systems. The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.
A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment.The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown exploit as well as a couple of anti-forensic measures adopted by the actor on the device to erase traces of their actions.
Hackers used a zero-day exploit on Linux-based Mitel MiVoice VOIP appliances for initial access in what is believed to be the beginning of a ransomware attack. Mitel VOIP devices are used by critical organizations in various sectors for telephony services and were recently exploited by threat actors for high-volume DDoS amplification attacks.