A ransomware group has been spotted adopting a unique initial-access technique to infiltrate commercial phone systems using voice-over-IP (VoIP) devices before switching to corporate networks to carry out double-extortion operations.
The anonymous organization was affected by the Lorenz ransomware strain, according to a team at Arctic Wolf.
Lorenz Ransomware
The Lorenz encryptor is similar to the ones employed by a prior ransomware operation known as ThunderCrypt, according to Michael Gillespie of ID Ransomware.
This gang is also known for providing access to its targets’ private systems to other hackers along with the material that has been stolen prior to encryption in order to lure its victims into paying a ransom.
After leaking the stolen material as password-protected RAR archives if ransoms are not paid, Lorenz also divulges the password to open the leaked archives, giving the general public access to the files.
VoIP Threats
The attacks demonstrate a shift by threat actors toward using ‘lesser recognized or monitored assets’ to gain access to networks and engage in additional criminal behavior, the researchers further told.
The hackers then shifted into the network using the free source TCP tunneling application Chisel. Following initial access, the group waited for over a month before moving laterally, using FileZilla to exfiltrate data, and encrypting ESXi systems with BitLocker and Lorenz ransomware.
Considering that Mitel Voice-over-IP (VoIP) brands are used by businesses in crucial industries around the world including government agencies and that over 19,000 devices are currently vulnerable to attacks over the Internet, according to security expert Kevin Beaumont, this is a significant addition to the gang’s toolkit.
Threat actors have used record-breaking DDoS amplification assaults to exploit further security holes affecting Mitel devices. Since at least December 2020, the Lorenz ransomware group has been focusing on enterprises all across the world, extorting hundreds of thousands of dollars from each victim.
Read the full article here