Lorenz Ransomware Detection: The Group Leverages CVE-2022-29499 Vulnerability in Mitel VoIP Devices

Lorenz Ransomware Gang

The Lorenz security threat group has been targeting corporate networks across the U.S., China, and Mexico in an ongoing ransomware campaign since yearly 2021. Leveraging a critical security hole in Mitel MiVoice Connect appliances tagged CVE-2022-29499, adversaries aim to obtain persistence within a compromised network. This RCE vulnerability was first discovered in April and patched three months later.

Currently, more than 19,000 devices remain vulnerable to these exploit efforts.

Detect Lorenz Ransomware

To identify behaviors associated with Lorenz ransomware, utilize the following threat detection content released by seasoned Threat Bounty contributors Osman Demir and Zaw Min Htun (ZETA):

Lorenz Ransomware Behavior (via process_creation)

Possible Lorenz Ransomware Group Persistence by Detection of Associated Files (via file_event)

The rule kit is aligned with the MITRE ATT&CK® framework v.10 and has translations for 26 SIEM, EDR & XDR platforms.

In an era when an ever-growing threat of cyber-attacks drives the world, we promote the paramount importance of timely threat detection and offer scalable solutions to gain visibility into threats relevant to your security needs based on the ATT&CK framework. To effortlessly search for related threats and instantly delve into contextual metadata, like CTI and ATT&CK references, click the Explore Detections button and drill down to relevant search results using SOC Prime’s search engine for Threat Detection, Threat Hunting, and CTI.

Explore Detections  

Lorenz Ransomware Analysis

Research data shows that adversaries use companies’ phone systems for initial access to their corporate networks. Interestingly, the documented attacks show a one-month time gap between the initial system breaching and the beginning of the post-exploitation activity. For data exfiltration, the Lorenz ransomware gang used the FileZilla FTP tool.

This criminal circle has won a reputation of adversaries who engage in high-profile attacks, leaving their victims’ wallets thinner by acquiring millions in ransom payments. Lorenz group launched double-extortion attacks, publishing stolen data on their website or selling it to third parties.

In August, we introduced some significant improvements to SOC Prime’s Threat Bounty Program. Kudos to our top 5 most popular Threat Bounty contributors (content-based rating):

Nattatorn Chuensangarun

Kyaw Pyiyt Htet

Aytek Aytemur

Furkan Celik

Osman Demir

Learn more about the cyber world’s most prolific detection content developer program and secure your place among industry leaders with SOC Prime.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts