The operators behind the Lorenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities.
Lorenz, like many other ransomware groups, is known for double extortion by exfiltrating data prior to encrypting systems, with the actor targeting small and medium businesses (SMBs) located in the U.S., and to a lesser extent in China and Mexico, since at least February 2021.
Calling it an “ever-evolving ransomware,” Cybereason noted that Lorenz “is believed to be a rebranding of the ‘.sZ40’ ransomware that was discovered in October 2020.”
The weaponization of Mitel VoIP appliances for ransomware attacks mirrors recent findings from CrowdStrike, which disclosed details of a ransomware intrusion attempt that leveraged the same tactic to achieve remote code execution against an unnamed target.
Mitel VoIP products are also a lucrative entry point in light of the fact that there are nearly 20,000 internet-exposed devices online, as revealed by security researcher Kevin Beaumont, rendering them vulnerable to malicious attacks.
In one Lorenz ransomware attack investigated by Arctic Wolf, the threat actors weaponized the remote code execution flaw to establish a reverse shell and download the Chisel proxy utility.