The Lorenz ransomware operators completed their attacks months after they gained access to their target’s network via an exploit for a critical flaw in a telephony system.
Researchers warn users about patching critical vulnerabilities since it could still allow cybercriminals to access their networks. Based on reports, some threat groups have started exploiting the vulnerabilities to plant a backdoor that could allow them to prepare if they will have an opportunity to attack for their future campaigns.
The Lorenz ransomware group breached their target months before initiating attacks.
According to an investigation, the Lorenz ransomware operators hacked their targeted network five months before executing malicious actions such as stealing data, encrypting systems, and moving laterally across the web.
The researchers explained that the group acquired initial access by abusing the CVE-2022-29499 critical flaw in the Mitel telephony infrastructure. The vulnerability provided the remote code execution (RCE) to their targeted network.
However, the vendor did not know the flaw then, and there was no available fix. Therefore, the threat actors found an opportunity to plant a backdoor that exploited the CVE.
The researchers discovered that while the client had applied the patch for the flaw, the ransomware operators exploited the vulnerability and planted backdoors a week before the vendor released the update for the issue.
Fortunately, there are no vulnerable pages that stay on the system. Still, an analysis showed that they had been last accessed by the ransomware actors when they created the web shell on the targeted device.
Furthermore, the hackers attempted to obfuscate the backdoor by labelling it as twitter_icon_<ransom string> and placing it in a legitimate location directory on the system.
The web shell used by the actors is a single line of PHP code that receives a request for HTTP POST.
Experts claimed that the web shell stayed silently on the victim’s network for about five months. The hackers used the backdoor and deployed the Lorenz ransomware within two days as soon as they saw an opportunity.
