Ransomware attackers are abusing flaws in VoIP software to breach organizations and achieve initial access, researchers are warning.
Cybersecurity experts from Arctic Wolf Labs are warning about CVE-2022-29499, a remote code execution vulnerability within Mitel MiVoice VOIP (opens in new tab) appliances, used by the Lorenz threat actor to attack certain companies.
he researchers didn’t name any specific firms being targeted, but explained, “Initial malicious activity comes from a Mitel appliance sitting on the network perimeter,” they explain. Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance element of MiVoice Connect, to secure a reverse shell and subsequently used Chisel as a tunneling tool to pivot in to the environment.”
If the hackers are trying to find vulnerable Mitel VoIP products, they seemingly have a lot of firms to select from, with the devices utilized by organizations in critical sectors worldwide.
Mitel issued a patch because of this vulnerability in early June 2022, this means threat actors are actually after those firms who arent that diligent with regards to keeping their systems updated.
Should Lorenz successfully breach a target network, it’ll try to install the BitLocker ransomware (opens in new tab) onto the affected endpoints, the researchers further warned.
To help keep safe, they recommend firms upgrade to MiVoice Connect Version R19.3, scan external appliances and web applications, usually do not expose critical assets right to the web, configure PowerShell logging, configure off-site logging, create backups, and try their finest to limit the blast radius of potential attacks.
Lorenz has previously been referred to as ThunderCrypt, researchers confirmed, also saying that its been active since at the very least December 2020. They often follow high-profile targets, and their ransom demands come in thousands of dollars.
- Here’s our rundown of the best malware removal (opens in new tab) tools at this time
Via: BleepingComputer (opens in new tab)