Ransomware Gang Hacks VoIP for Initial Access

Security

Threat actors exploited a vulnerability in a popular VoIP appliance to gain access to a victim’s corporate network, researchers have revealed.

A team at Arctic Wolf said that the unnamed organization was compromised by the Lorenz ransomware variant. The group apparently targeted the Mitel Service Appliance component of MiVoice Connect, via remote code execution bug CVE-2022-29499, to obtain a reverse shell.

The hackers then used open source TCP tunnelling tool Chisel to pivot into the network.

After waiting almost a month following initial access, the group then proceeded with lateral movement, data exfiltration via FileZilla, and encryption with BitLocker and Lorenz ransomware on ESXi systems.

Back in June, CrowdStrike wrote a blog detailing the Mitel vulnerability and a suspected ransomware intrusion attempt using the same CVE. Mitel has since patched this critical zero-day bug and urged all customers to apply the fix.

The case highlights the need for organizations to gain visibility and control over their entire distributed attack surface, Arctic Wolf argued.

“Monitoring just critical assets is not enough for organizations, security teams should monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices. Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection,” the vendor said.

“In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and IoT devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected.”

Products You May Like

Articles You May Like

New Cheats May Emerge After Riot Games Hack
Dutch suspect locked up for alleged personal data megathefts
5 valuable skills your children can learn by playing video games
Gootkit Malware Continues to Evolve with New Components and Obfuscations
Global Action “Dismantles” Hive Ransomware Group

Leave a Reply

Your email address will not be published. Required fields are marked *