A ransomware group has been spotted adopting a unique initial-access technique to infiltrate commercial phone systems using voice-over-IP (VoIP) devices before switching to corporate networks to carry out double-extortion operations.
The anonymous organization was affected by the Lorenz ransomware strain, according to a team at Arctic Wolf.
Lorenz Ransomware
The Lorenz encryptor is similar to the ones employed by a prior ransomware operation known as ThunderCrypt, according to Michael Gillespie of ID Ransomware.
This gang is also known for providing access to its targets' private systems to other hackers along with the material that has been stolen prior to encryption in order to lure its victims into paying a ransom.
After leaking the stolen material as password-protected RAR archives if ransoms are not paid, Lorenz also divulges the password to open the leaked archives, giving the general public access to the files.
VoIP Threats
According to Arctic Wolf researchers, Lorenz used the bug to gain a reverse shell, and the group then used Chisel, a Golang-based rapid TCP/UDP tunnel that is transmitted through HTTP, as a tunneling tool to infiltrate the corporate environment. According to the GitHub page, "the tool is mostly useful for going through firewalls."
The attacks demonstrate a shift by threat actors toward using 'lesser recognized or monitored assets' to gain access to networks and engage in additional criminal behavior, the researchers further told.
CrowdStrike published a blog post about the Mitel vulnerability and a possible ransomware attack attempt using the same CVE back in June. Since then, Mitel has patched this crucial zero-day flaw and recommended all users do the same. After providing a remediation script for vulnerable MiVoice Connect versions in April, Mitel resolved the problem by delivering security updates in the first half of June 2022.
The hackers then shifted into the network using the free source TCP tunneling application Chisel. Following initial access, the group waited for over a month before moving laterally, using FileZilla to exfiltrate data, and encrypting ESXi systems with BitLocker and Lorenz ransomware.
Considering that Mitel Voice-over-IP (VoIP) brands are used by businesses in crucial industries around the world including government agencies and that over 19,000 devices are currently vulnerable to attacks over the Internet, according to security expert Kevin Beaumont, this is a significant addition to the gang's toolkit.
Threat actors have used record-breaking DDoS amplification assaults to exploit further security holes affecting Mitel devices. Since at least December 2020, the Lorenz ransomware group has been focusing on enterprises all across the world, extorting hundreds of thousands of dollars from each victim.
