Initial access broker or ransomware gang has ‘exclusive’ access to Mitel zero-day exploit: report
Ransomware groups are continuing to target a vulnerability discovered earlier this year affecting popular Mitel MiVoice Connect VOIP devices, according to a new report from cybersecurity firm Arctic Wolf.
The company released a detailed breakdown of one incident involving the Lorenz ransomware group’s exploitation of CVE-2022-29499 – a vulnerability patched in April by Mitel after CrowdStrike researcher Patrick Bennett discovered the issue during a ransomware investigation.
Adrian Korn, manager of threat intelligence research at Arctic Wolf Labs, told The Record that what stood out about the attack his team examined was the fact that no public proof-of-concept (PoC) exploit code for this vulnerability has ever been released, “and there is very little known about which threat actors possess the exploit.”
Based on several overlaps, Korn said that the intrusions Arctic Wolf and CrowdStrike analyzed were perpetrated by the same actor.
“What was significant about this intrusion was that Lorenz was linked to the exploitation of CVE-2022-29499, a remote code execution (RCE) vulnerability affecting Mitel MiVoice Connect VOIP devices,” Korn explained.
“This suggests one of two things: 1. There is an Initial Access Broker (IAB) that has exclusive access to an exploit for CVE-2022-29499. 2. The actors behind Lorenz have exclusive access to an exploit for CVE-2022-29499.”
IABs are people with access to hacked enterprise networks that then offload their access to criminal or nation-state groups.
A Mitel spokesperson reiterated that the bug was quickly patched by the company and criticized the report for being “quite old and resolved news at this point.”
“Mitel addressed the vulnerability by releasing security patches in early June 2022 after releasing a remediation script for affected MiVoice Connect versions in April,” the spokesperson said.
Nearly 20,000 Mitel VoIP devices exposed
Arctic Wolf Labs said the Lorenz ransomware group exploited CVE-2022-29499 to gain initial access to a Mitel MiVoice Connect, then waited nearly a month to take further action.
The Mitel appliance that was exploited was on the network’s perimeter and the access was parlayed into the theft of credentials for two privileged administrator accounts.
During the attack, the group used the privileged accounts to move laterally throughout the organization’s network and eventually exfiltrate data using FileZilla.
Lorenz emerged in February 2021. The Dutch cybersecurity firm Tesorion released a free application to help victims of the ransomware recover encrypted files without paying a ransom in June 2021.
That has done little to stop the group, which typically performs double-extortion after stealing troves of data.
“Over the last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United States, with outliers in China and Mexico,” the report said.
The company suggested a range of actions organizations should take to protect themselves, including implementing external scans that can tell whether critical assets are exposed to the internet.
Organizations should also have offline backups and limit access to privileged credentials.
“Monitoring just critical assets is not enough for organizations, security teams should monitor all externally facing devices for potential malicious activity, including VOIP and IoT [Internet of Things] devices. Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection,” Arctic Wolf said.
“In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VOIP devices and IoT devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected.”
A search on Shodan shows that there are nearly 20,000 Mitel VoIP devices exposed to the internet, with almost 9,000 in the U.S. alone.