Researchers are warning that hackers targeting Ransomware are exploiting flaws in VoIP software to breach organizations and achieve initial access.
Arctic Wolf Labs'' cybersecurity experts are warning about CVE-2022-29499, a remote code execution vulnerability found in Mitel MiVoice VOIP (opens in new tab) devices, being used by the Lorenz threat actor to attack certain businesses.
"Initial malicious activity originated from a Mitel appliance on the network perimeter," he adds. CVE-2022-29499, a remote code execution vulnerability that impacted the Mitel Service Appliance component of MiVoice Connect, was exploited to obtain a reverse shell and then used Chisel as a tunneling tool to pivot into the environment."
If hackers are looking for potentially hazardous Mitel VoIP products, then they appear to have a lot of businesses to choose from, with the devices that are used by organizations in critical sectors worldwide.
In early June 2022, Mitel issued a patch for this vulnerability, which means threat actors are now following those companies who aren''t that equities when it comes to keeping their systems up to date.
Lorenz will attempt to complete a target network by installing the BitLocker ransomware (opens in a new tab) onto affected endpoints, according to the researchers.
Firms upgrade to MiVoice Connect Version R19.3, scan external appliances and web applications, do not expose critical assets directly to the internet, configure PowerShell logging, configure off-site logging, set up backups, and try their best to minimize potential blast radius.
Researchers claim that Lorenz has previously been referred to as ThunderCrypt, but that it has expanded since at least December 2020. They usually follow high-profile figures, and their ransom demands are in hundreds of thousands of dollars.