Lorenz ransomware uses Mitel’s MiVoice Connect VoIP phones as a springboard
Attackers are currently exploiting a critical vulnerability in Mitel phone systems. Security updates are available.
A vulnerability in VoIP phones from Mitel’s MiVoice Connect series is currently being used as a loophole for the Lorenz blackmail trojan. If such phones are used in companies, admins should quickly update the devices and thus close the gap.
Security researchers from Artic Wolf came across the attacks. In their report, they state that the attackers participated in a “critical“Gap (CVE-2022-29499) to get a foothold in the IT infrastructures of companies. They should then wait around a month and then let the ransomware Lorenz off the leash.
blackmail
The malware is supposed to smuggle files to the attackers via the actually legitimate application FileZilla. The encryption of data on Windows systems should be done via Bitlocker. Lorenz is supposed to do an ESXi encryption himself.
The group behind the malware should then demand a ransom. Following the current ransomware trend, they threaten to publish the copied internal data in order to increase the pressure on victims.
Patch now!
In a warning message, the manufacturer states that MiVoice Connect (Mitel Service Appliances – SA 100, SA 400 and Virtual SA) are specifically affected by the malicious code vulnerability. Versions up to and including 14.2 and 19.2 SP3 are threatened. The manufacturer states that the security problem in the Issue 19.3 to have solved. Anyone who cannot install the security update can use a script provided by the manufacturer as a temporary workaround to protect the system from attacks.
Admins should also pay attention to whether the systems must be publicly accessible from the Internet. Ultimately, this increases the attack surface and attackers could attack phones directly. A security researcher found 19,000 such directly accessible systems using the Shodan search engine.