Mitel VOIP devices exploited in new Lorenz ransomware attacks

BleepingComputer reports that enterprises are having their networks targeted for initial access by the Lorenz ransomware group through the abuse of a critical Mitel MiVoice VOIP vulnerability, tracked as CVE-2022-29499. Such an attack approach was discovered by Arctic Wolf Labs researchers after noticing significant tactics, techniques, and procedures with other ransomware attacks reported by CrowdStrike in June that also exploited the flaw. "Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunneling tool to pivot into the environment," said researchers. Security patches for the flaw have been issued by Mitel in June following the April release of a MiVoice Connect remediation script. Numerous enterprises have already been targeted by the Lorenz ransomware gang since December 2020, with ID Ransomware's Michael Gillespie noting similarities between the operation's encryptor and the one leveraged by the now-defunct ThunderCrypt ransomware operation.