Ransomware Gang Hacks VoIP for Initial Access

Threat actors exploited a vulnerability in a popular VoIP appliance to gain access to a victim’s corporate network, researchers have revealed.

A team at Arctic Wolf said that the unnamed organization was compromised by the Lorenz ransomware variant. The group apparently targeted the Mitel Service Appliance component of MiVoice Connect, via remote code execution bug CVE-2022-29499, to obtain a reverse shell.

The hackers then used open source TCP tunnelling tool Chisel to pivot into the network.

After waiting almost a month following initial access, the group then proceeded with lateral movement, data exfiltration via FileZilla, and encryption with BitLocker and Lorenz ransomware on ESXi systems.

Back in June, CrowdStrike wrote a blog detailing the Mitel vulnerability and a suspected ransomware intrusion attempt using the same CVE. Mitel has since patched this critical zero-day bug and urged all customers to apply the fix.

The case highlights the need for organizations to gain visibility and control over their entire distributed attack surface, Arctic Wolf argued.

“Monitoring just critical assets is not enough for organizations, security teams should monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices. Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection,” the vendor said.

“In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and IoT devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected.”

What’s Hot on Infosecurity Magazine?