Ransomware attackers are abusing flaws in VoIP software to breach organizations and achieve initial access, researchers are warning.
Cybersecurity experts from Arctic Wolf Labs are warning about CVE-2022-29499, a remote code execution vulnerability found in Mitel MiVoice VOIP (opens in new tab) appliances, being used by the Lorenz threat actor to attack certain companies.
he researchers did not name any specific firms being targeted, but explained, “Initial malicious activity originated from a Mitel appliance sitting on the network perimeter,” they explain. “Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunneling tool to pivot into the environment.”
Issues patched
If the hackers are hunting for vulnerable Mitel VoIP products, then they seemingly have plenty of firms to choose from, with the devices used by organizations in critical sectors worldwide.
Mitel issued a patch for this vulnerability in early June 2022, which means threat actors are now after those firms who aren’t that diligent when it comes to keeping their systems up to date.
Should Lorenz successfully breach a target network, it will attempt to install the BitLocker ransomware (opens in new tab) onto the affected endpoints, the researchers further warned.
To keep safe, they recommend firms upgrade to MiVoice Connect Version R19.3, scan external appliances and web applications, do not expose critical assets directly to the internet, configure PowerShell logging, configure off-site logging, set up backups, and try their best to limit the blast radius of potential attacks.
Lorenz has previously been known as ThunderCrypt, researchers confirmed, also saying that it’s been active since at least December 2020. They usually go after high-profile targets, and their ransom demands are in hundreds of thousands of dollars.
Via: BleepingComputer (opens in new tab)
