Ransomware, Malware, Threat Management

Early backdoor implantation leveraged by Lorenz ransomware

BleepingComputer reports that the Lorenz ransomware operation exploited a critical Mitel telephony infrastructure vulnerability, tracked as CVE-2022-29499, to obtain initial access to the victim's network five months prior to commencing lateral movement, data theft, and system encryption activities. While the victim organization applied patches for the Mitel flaw, the backdoor had already been implanted by Lorenz ransomware a week prior to the release of the security update, according to a report from global intelligence and cyber security consulting company S-RM. "They leveraged vulnerabilities within two Mitel PHP pages on a CentOS system on the network perimeter, which allowed them to retrieve a web shell from their own infrastructure and install it on the system," said S-RM. The five-month gap between initial network access and the eventual attack suggests that Lorenz ransomware may have secured network access from a broker. Lorenz "is actively returning to old backdoors, checking they still have access and using them to launch ransomware attacks," researchers added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.