Lorenz ransomware targets enterprises exploiting corporate networks via their phone systems for initial access…

Continue reading
Lorenz ransomware operators are spotted to exploit a critical vulnerability in Mitel MiVoice VOIP appliances to attack organizations, gaining early access to their corporate networks via their phone systems.
Arctic Wolf Labs security researchers observed a strong overlap with Tactics, Techniques, and Procedures (TTPs) associated with ransomware attacks targeting the CVE-2022-29499 security flaw for first access, validating Crodwstrike's June report.
While these attacks were not associated with a single ransomware operator, Arctic Wolf Labs was able to confidently identify comparable harmful behaviour to the Lorenz gang. In a paper published today, security researchers disclosed that initial malicious activity emanated from a Mitel appliance located at the network's perimeter.
_"Lorenz exploited CVE-2022-29499, a remote code execution flaw affecting the Mitel Service Appliance component of MiVoice Connect, to get a reverse shell, and then utilized Chisel as a tunneling tool to pivot into the environment."_
According to security expert Kevin Beaumont, this is an essential addition to the gang's armory, as Mitel Voice-over-IP (VoIP) technologies are utilized by businesses in vital sectors globally (including government agencies), with over 19,000 machines currently vulnerable to Internet-based attacks.
Mitel has resolved the vulnerability by issuing security updates at the beginning of June 2022, following the release of a remediation script in April for impacted MiVoice Connect versions.

Recent record-breaking DDoS amplification attack leveraged different security vulnerabilities affecting Mitel devices.
Since at least December 2020, the Lorenz ransomware group has targeted enterprise firms globally, seeking hundreds of thousands of dollars in ransom from each victim.
Michael Gillespie of ID Ransomware informed Secure Blink that the Lorenz encryptor is identical to the one utilized by a ransomware campaign known as ThunderCrypt.
This group is also popular for selling stolen data obtained prior to the encryption to other threat actors in order to coerce its victims into paying the ransom, as well as selling access to its victims' internal networks along with the stolen data.
If ransoms are not paid after leaking the stolen data as password-protected RAR archives, Lorenz provides public access to the stolen files by releasing the password of the leaked archives.
In June 2021, the Dutch cybersecurity company Tesorion launched a free Lorenz ransomware decryptor that may be used to recover Office documents, PDF files, photos, and videos, among others.
Hensoldt, a global defense contractor headquartered in Germany, and Canada Post, the principal postal provider in Canada, are among the prior victims.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.