Ransomware Threat Actor Hacks into Corporate Network Through Mitel Phone System

14.09.22

Threat Intelligence Alerts

Researchers at Artic Wolf Labs have published a report detailing that a threat actor has hacked a corporate phone system, Mitel’s MiVoice Business, to gain access to an organisation’s network and deploy ransomware. The threat actor, Lorenz, primarily attacks victims with ransomware and is known for using the double-extortion technique of downloading data from the network before encrypting and threatening to release the data if the ransom not be paid. The report noted that the group mainly targeted small and medium businesses throughout the last quarter. The targeted phone system was likely easily found online.

The threat actor was able to make initial access to the victim’s network by hacking into a Mitel MiVoice VoIP device, a phone system that works by sending/receiving phone calls over the internet. Lorenz targeted a Mitel appliance sitting on the perimeter of the target’s network and exploited a known critical vulnerability (tracked as CVE-2022-29499) that allowed them to execute code remotely on the device and set up a system that would allow for repeated access to the network.

Once the Mitel device was exploited, the threat actors waited for around a month before continuing with further activity, but then continued attempting to gain further access into the victim’s network. They were able to gain access to login credentials, as well as discover all active TCP connections within the network, running instances of PowerShell, and search through compromised device directories for passwords. In the end, Lorenz gained credentials for two administrator accounts with local and domain admin privileges.

With access to the admin accounts, the threat actor could download FileZilla and exfiltrate data from the compromised network. Once a significant amount of data was stolen, a PowerShell script was run, encrypting the victim’s files. Thankfully, the malicious code contained a plaintext password, and the victim was able to decrypt almost 95% of the devices affected by the ransomware.

Mitel, the company that produces and manages the phone system exploited in this attack, released a security advisory about the critical vulnerability in March 2022.

Preventions:

If your organisation uses Mitel’s MiVoice Connect, which is on version 19.2 SP3 and earlier, it is highly recommended that you update the product as soon as possible. This can be done by following the steps in the security bulletin about this vulnerability.

Arctic Wolf Labs noted that critical assets should never be exposed directly to the internet and that if a device does not need to be on the perimeter of your network, then it should be removed. Their report also contained some indicators of compromise for this attack, including the threat actor’s IP addresses. If possible, set up systems to detect or block activity within your network from these addresses.

Ransomware can have a devastating impact on an organisation. Some of the best steps to take to stay protected against ransomware include:

Related Links:

https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ – Published September 12^th

https://www.bleepingcomputer.com/news/security/lorenz-ransomware-breaches-corporate-network-via-phone-systems/ – Published September 12^th