![]() Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection. Monitoring just critical assets is not enough for organizations, security teams should monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices. Over the last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United States, with outliers in China and Mexico. Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems. The Arctic Wolf Labs team recently investigated a Lorenz ransomware intrusion, which leveraged a Mitel MiVoice VoIP appliance vulnerability ( CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive Encryption for data encryption. Process and PowerShell Logging can significantly aid incident responders and potentially help decrypt encrypted files.Ransomware groups continue to use Living Off the Land Binaries (LOLBins) and gaining access to 0day exploits.Lorenz employed a high degree of Operational Security (OPSEC).Encryption was done via BitLocker and Lorenz ransomware on ESXi.Lorenz waited nearly a month after obtaining initial access to conduct additional activity.Arctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |