Patching vulnerabilities that allow network access is not enough to prevent ransomware attacks, researchers warn. Attackers have been found to install backdoor malware using vulnerabilities while they still have the opportunity and return to launch an attack long after the victim has applied security updates.
Hackers have used a critical bug in a telephony system to gain access to the victim’s network and launch the Lorenz ransomware attack, found analysts at the intelligence and cyber security consultancy S-RM.
Backdoor and patched vulnerabilities
During an investigation of this attack, researchers found that the hackers had breached the network five months prior, before stealing data and encrypting systems. Despite the victim applying a patch for the vulnerability, the attackers were able to exploit it and install a backdoor a week before the patch was applied.
During the investigation, we theorised that the initial access vector was through the victim’s Mitel telephony infrastructure,” read the S-RM report.
Cybersecurity companies Arctic Wolf and Crowdstrike have earlier documented instances where Lorenz used VoIP vulnerabilities to gain access the ransomware binary name of “VOIP.exe”.
We also found that malicious processes leveraging living-off-the-land binaries had been spawned by a Ruby interpreter packaged within the Mitel Shoreline suite – a clear sign of misuse of that software. Notably, the systems had been patched with the most recent updates available, in particular, the systems had been patched for CVE-2022-29499 in July.
First, the Lorenz ransomware gang entered the network of Mitel, a Canadian telecommunications company with a vulnerability to hide a backdoor malware, and stayed inactive until the flaw was patched in July 2022. After five months of staying there, the backdoor was used to launch the ransomware in 48 hours and move laterally across the network. They stole system data, launched a DDoS amplification attack, and encrypted the files.
The company issued a security advisory in April 2022 that said that other Mitel products were not impacted by the flaw. Criminal gangs are innovating and this new technique looks like a game of hide and seek where the targets are attacked while have dropped their guards for patched vulnerabilities.
Technical details of the ransomware attack on the patched vulnerability
- Critical vulnerability CVE-2022-29499 was exploited
- The zero-day remote code execution flaw had a CVSS v3 score of 9.8
- Mitel VOIP appliance was compromised of product version 2 SP3 and earlier
- Lorenz gang conducted anti-forensic techniques to evade detection
- Source device was Linux-based which has low endpoint detection response software
- The IP address of the gang was replaced with invalid Ips 1.1.256.1 and 2.2.256.2
- The tunnelling/proxy tool Chisel was downloaded in the VOIP appliance and renamed as memdump. This was later executed.
- The interaction between Chisel and POST request was used to move laterally.
All the files were deleted from the impacted devices. Yet, researchers from CrowdStrike recovered forensic data from the impacted device to study the case further. They found that after the deletion of data from the systems, the Lorenz gang tried to overwrite the space which was determined from the recovered nohup.out file.
This is the content of the recovered file –
rm: cannot remove ‘/cf/swapfile’: Operation not permitted
dd: error writing ‘/tmp/2’: No space left on device
10666+0 records in
10665+0 records out
11183382528 bytes (11 GB) copied, 81.3694 s, 137 MB/s
This data which is from their commands in the freed space escaped the gang’s attempt to erase the memory using the rm command. After creating the reverse shell, they created a webshell named pdf_import.php.
Researchers advised reviewing logs even after a patch has been applied or offered. Continuous monitoring for unauthorized access and unexpected traffic is also recommended.
A sign of access could signal that a patched vulnerability may have been targeted by threat actors with a backdoor installed to be used later.