[MART] - Daily Diary #595 - Lorenz Ransomware Exploiting Phone Systems for Initial Access

ctas-mat at appgate.com ctas-mat at appgate.com
Thu Sep 15 21:36:15 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

09/15/2022 - Diary entry #595:

First spotted in 2021, Lorenz Ransomware is another Ransomware gang that operates using the double extortion technique. Like most human-driven ransomware, Lorenz infects organizations and moves laterally through the network, infecting as many systems as possible and stealing data before launching the ransomware.

When it was first spotted, Lorenz used an uncommon technique for extortion – instead of just publishing the stolen data, it first made it available for sale, to profit from other threat actors or competitors. Only if the data is not sold, do they release the data for everyone to download, in the format of password-protected RAR files.

Recently a new campaign of Lorenz ransomware was disclosed, using CVE-2022-29499 to get initial access into corporate networks. CVE-2022-29499 is a vulnerability in Mitel MiVoice Connect, an on-site business phone system used to centralize communication platforms. By exploiting this vulnerability, the threat actors can get a reverse shell and execute arbitrary commands through the appliance.

This incident illustrates the need of having isolated network perimeters inside corporations. Every system can eventually be abused, and having a segmented network is the only way to prevent threats from navigating through the network and spreading to other environments.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research Team


E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220915/5b0a9b21/attachment.htm>

More information about the MART mailing list