Mitel MiVoice Connect is attacked by Lorenz ransomware

Sicherheit (Pexels, allgemeine Nutzung)[German]Phone systems from Canadian manufacturer Mitel that are used in companies are being attacked by ransomware from the Lorenz Group. Arctic Wolf Labs suspects that Lorenz Ransomware Group has exploited the CVE-2022-29499 vulnerability to compromise Mitel MiVoice Connect systems to gain initial access. After that, the system can be taken over to encrypt it and extort victims. Administrators should update the phone system software to the latest version.


Mitel Networks Corporation is a Canadian telecommunications company. The company focused almost exclusively on voice-over-IP products after a change in ownership in 2001. Mitel MiVoice Connect systems are mainly used in companies as telephone exchanges.

The Lorenz Ransomware Group

Security firm Artic Wolf writes in this article that the Lorenz ransomware group targets Mitel MiVoice Connect systems. Lorenz is a ransomware group that has been active since at least February 2021. The cyber criminals extort victims once by encrypting their systems, but also threaten to release captured company documents.  In late June, CrowdStrike researchers published a blog post describing a suspected ransomware attack that used the CVE-2022-29499 vulnerability for initial access. Last quarter, the group primarily targeted small and medium-sized enterprises (SMEs) in the United States, with isolated infections also occurring in China and Mexico.

Attacks on Mitel MiVoice Connect Systems

Security researchers suspect that the CVE-2022-29499 vulnerability is being exploited to gain access to phone system software. In security advisory 22-0002, Mitel writes that a vulnerability has been discovered in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400 and Virtual SA). The vulnerability allows a malicious actor to perform remote code execution (CVE-2022-29499) in the context of the service appliance. MiVoice Connect (up to version 14.2) is affected – Mitel recommends customers with affected product versions apply available remediation.

After the ransomware gains access to the software through the vulnerability, the malware waits almost a month to perform further activities. Then, the ransomware uses FileZilla to extract captured data and transfer it to the ransomware gang's servers. Following that, the encryption of files on the systems is usually done using BitLocker on Windows. But security researchers have observed a few ESXi hosts used by the Lorenz ransomware for encryption..

Then the cyber criminals try to extort the companies, using both the encrypted files and the captured company documents as leverage. In July 2022, Mitel released MiVoice Connect version R19.3, which fully fixes CVE-2022-29499. Artic Wolf security researchers recommend upgrading to version R19.3 to prevent possible exploitation of this vulnerability. On April 19, 2022, Mitel made a script available for versions 19.2 SP3 and earlier and R14.x and earlier as a workaround prior to the release of R19.3. Details can be found in this article.  (via)


Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *