Lorenz Ransomware Group Cracks MiVoice | Arctic Wolf

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Lorenz exploited CVE-2022-29499 on an exposed Mitel device to obtain a reverse shell. “Initial malicious activity originated from a Mitel appliance sitting on the network perimeter. Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunnelling tool to pivot into the environment.”
• [T1588.002] Obtain Capabilities – Tools – FileZilla was downloaded by Lorenz to exfiltrate data. “Prior to beginning encryption, the threat actors leveraged the compromised administrator accounts to install FileZilla.”
• [T1587.001] Develop Capabilities – Malware – Lorenz developed the BitLocker deployment script. “The first portion of network adds multiple keys to the registry… The BitLocker recovery message would then be displayed on the pre-boot key recovery screen after the device was encrypted.”
• [T1505.003] Server Software Component – Webshell – Lorenz created a webshell on the vulnerable device for persistence. “It is worth noting that, after exploitation of the Mitel device, Lorenz did not immediately proceed with any further activity for about a month. Upon returning to the Mitel device, the threat actors interacted with a webshell named pdf_import_export.php located in the path /vhelp/pdf/en/.”
• [T1095] Non-Application Layer Protocol – Proxy – Chisel client used to create a SOCKS5 connection to attacker IP/port. “The threat actors renamed the Chisel binary… and executed it to establish a connection back to a Chisel server listening at hxxps://137.184.181.252:8443, skipping TLS certificate verification and turning the client into a SOCKS proxy for the threat actor.”
• [T1573] Encrypted Channel – Reverse shell used a localhost TLS certificate for encryption. “…turned the client into a SOCKS proxy… hxxps://137.184.181.252:8443”
• [T1003.001] LSASS Memory – CrackMapExec using lsassy to dump LSASS remotely. “CrackMapExec was first used to dump credentials remotely via comsvcs, implemented via the lsassy module.”
• [T1059.001] Command and Scripting Interpreter – PowerShell – PowerShell and Windows command shell used to execute scripts and utilities. “powErsHeLl.eXE -NoP $WER = [PSObject]…”
• [T1059.003] Command and Scripting Interpreter – Windows Command Shell – Windows shell commands used throughout lateral movement and encryption.
• [T1112] Modify Registry – BitLocker deployment script added registry keys required for BitLocker. “The deployment PowerShell script added registry keys that are required for BitLocker configuration.”
• [T1053.005] Scheduled Task – atexec used via Task Scheduler to create and run tasks (network encryption). “Invoke-Command -ComputerName $c.ds_cn -Credential $cred -ScriptBlock {SCHTASKS /CREATE …;SCHTASKS /Run /TN ‘network’}”
• [T1016] System Network Discovery – Discovery through netsh, ipconfig, netstat, certutil, etc. “certutil –config – -ping” and other commands.
• [T1083] File and Directory Discovery – Recursive search for passwords. “Dir /s/b E:<REDACTED |findstr passw”
• [T1518.001] Security Software Discovery – Identification of security software or related artifacts.
• [T1078.002] Domain Accounts – Privilege escalation via domain admin credentials.
• [T1078.003] Local Accounts – Local admin credentials used for lateral movement.
• [T1021.001] Remote Services – Remote Desktop Protocol – Lateral movement via RDP using stolen credentials.
• [T1048.002] Exfiltration Over Asymmetric Encrypted Non-C2 Protocol – Data exfiltration via FileZilla over SSH.
• [T1486] Data Encrypted for Impact – BitLocker-based encryption of endpoints. “Data Encrypted for Impact: Lorenz leveraged BitLocker to encrypt systems.”
• [T1529] System Shutdown/Reboot – Encryption script included reboot command.
• [T1070.001] Indicator Removal on Host – Clear Windows Event Log – Logs cleared after encryption.
• [T1027] Obfuscated Files or Information – BitLocker deployment script had a JPG extension to obfuscate. “The BitLocker deployment PowerShell script had a JPG extension.”