The Lorenz ransomware gang has been observed exploiting  vulnerability in a popular VoIP appliance to gain initial access to the corporate network of an unnamed victim.

According to a new report from cybersecurity firm Arctic Wolf, threat actors targeted the Mitel Service Appliance component of MiVoice Connect, via remote code execution (RCE) vulnerability CVE-2022-29499, to obtain a reverse shell. The attackers then used the Chisel TCP tunnelling tool to pivot into the environment.

Active since at least February 2021, Lorenz (like many other ransomware groups) uses a double-extortion approach involving exfiltrating data before encrypting systems. Over the three months, the group has been primarily focused on small and medium businesses (SMBs) in the US, China and Mexico.

In the observed attack threat actors waited nearly a month after gaining initial access to conduct further malicious operations, the researchers noted.

“Lorenz obtained credentials for two privileged administrator accounts, one with local admin privileges and one with domain admin privileges. These accounts were used to move laterally through the environment via RDP and subsequently to a domain controller,” the report reads.

The attackers exfiltrated data from the environment via FileZilla, and encrypted the systems using the legitimate BitLocker tool.

“Although Lorenz primarily leveraged BitLocker for encryption, we observed a select few ESXi hosts with Lorenz ransomware,” the researchers noted.

Organizations are recommended to upgrade to Mitel MiVoice Connect version R19.3 to prevent potential exploitation of the above mentioned vulnerability.