Ransomware attackers are abusing VoIP software to breach organizations
Unpatched Mitel MiVoice VOIP appliances are being hit
Ransomware attackers are abusing flaws in VoIP software to breach organizations and achieve initial access, researchers are warning.
Cybersecurity experts from Arctic Wolf Labs are warning about CVE-2022-29499, a remote code execution vulnerability found in Mitel MiVoice VOIP appliances, being used by the Lorenz threat actor to attack certain companies.
he researchers did not name any specific firms being targeted, but explained, "Initial malicious activity originated from a Mitel appliance sitting on the network perimeter," they explain. “Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunneling tool to pivot into the environment."
Issues patched
If the hackers are hunting for vulnerable Mitel VoIP products, then they seemingly have plenty of firms to choose from, with the devices used by organizations in critical sectors worldwide.
Mitel issued a patch for this vulnerability in early June 2022, which means threat actors are now after those firms who aren’t that diligent when it comes to keeping their systems up to date.
Should Lorenz successfully breach a target network, it will attempt to install the BitLocker ransomware onto the affected endpoints, the researchers further warned.
To keep safe, they recommend firms upgrade to MiVoice Connect Version R19.3, scan external appliances and web applications, do not expose critical assets directly to the internet, configure PowerShell logging, configure off-site logging, set up backups, and try their best to limit the blast radius of potential attacks.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Lorenz has previously been known as ThunderCrypt, researchers confirmed, also saying that it’s been active since at least December 2020. They usually go after high-profile targets, and their ransom demands are in hundreds of thousands of dollars.
- Here's our rundown of the best malware removal tools right now
Via: BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.