Early backdoor implantation leveraged by Lorenz ransomware

BleepingComputer reports that the Lorenz ransomware operation exploited a critical Mitel telephony infrastructure vulnerability, tracked as CVE-2022-29499, to obtain initial access to the victim's network five months prior to commencing lateral movement, data theft, and system encryption activities. While the victim organization applied patches for the Mitel flaw, the backdoor had already been implanted by Lorenz ransomware a week prior to the release of the security update, according to a report from global intelligence and cyber security consulting company S-RM. "They leveraged vulnerabilities within two Mitel PHP pages on a CentOS system on the network perimeter, which allowed them to retrieve a web shell from their own infrastructure and install it on the system," said S-RM. The five-month gap between initial network access and the eventual attack suggests that Lorenz ransomware may have secured network access from a broker. Lorenz "is actively returning to old backdoors, checking they still have access and using them to launch ransomware attacks," researchers added.