Skip to main content

Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free

Low
Vulnerabilitytype:osintosint:lifetime="perpetual"osint:certainty="50"tlp:whiteosint:source-type="blog-post"misp-galaxy:mitre-attack-pattern="exploit public-facing application - t1190"misp-galaxy:mitre-attack-pattern="tool - t1588.002"misp-galaxy:mitre-attack-pattern="malware - t1587.001"misp-galaxy:mitre-attack-pattern="web shell - t1505.003"misp-galaxy:mitre-attack-pattern="proxy - t1090"misp-galaxy:mitre-attack-pattern="encrypted channel - t1573"misp-galaxy:mitre-attack-pattern="lsass memory - t1003.001"misp-galaxy:mitre-attack-pattern="powershell - t1059.001"misp-galaxy:mitre-attack-pattern="windows command shell - t1059.003"misp-galaxy:mitre-attack-pattern="modify registry - t1112"misp-galaxy:mitre-attack-pattern="scheduled task - t1053.005"misp-galaxy:mitre-attack-pattern="scheduled task - t1053"misp-galaxy:mitre-attack-pattern="standard non-application layer protocol - t1095"misp-galaxy:mitre-attack-pattern="system network configuration discovery - t1016"misp-galaxy:mitre-attack-pattern="security software discovery - t1518.001"misp-galaxy:mitre-attack-pattern="file and directory discovery - t1083"misp-galaxy:mitre-attack-pattern="domain accounts - t1078.002"misp-galaxy:mitre-attack-pattern="local accounts - t1078.003"misp-galaxy:mitre-attack-pattern="remote desktop protocol - t1021.001"misp-galaxy:mitre-attack-pattern="exfiltration over asymmetric encrypted non-c2 protocol - t1048.002"misp-galaxy:mitre-attack-pattern="data encrypted for impact - t1486"misp-galaxy:mitre-attack-pattern="system shutdown/reboot - t1529"misp-galaxy:mitre-attack-pattern="clear windows event logs - t1070.001"misp-galaxy:mitre-attack-pattern="obfuscated files or information - t1027"misp-galaxy:malpedia="chisel (elf)"misp-galaxy:malpedia="chisel (windows)"misp-galaxy:malpedia="lorenz"misp-galaxy:ransomware="lorenz ransomware"dnc:malware-type="ransomware"enisa:nefarious-activity-abuse="ransomware"ecsirt:malicious-code="ransomware"malware_classification:malware-category="ransomware"veris:action:malware:variety="ransomware"ransomwarems-caro-malware:malware-type="ransom"ms-caro-malware-full:malware-type="ransom"
Published: Mon Sep 12 2022 (09/12/2022, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: type
Product: osint

Description

Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free

AI-Powered Analysis

AILast updated: 07/02/2025, 07:58:43 UTC

Technical Analysis

The threat involves the Lorenz ransomware group exploiting vulnerabilities related to Mitel MiVoice, a unified communications platform widely used in enterprise telephony. The group reportedly cracked MiVoice systems, enabling them to make unauthorized calls without cost to themselves, indicating a compromise of telephony infrastructure. Lorenz ransomware is known for its sophisticated attack techniques, including exploitation of public-facing applications, deployment of web shells, use of encrypted communication channels, and credential harvesting from LSASS memory. The attack chain involves multiple MITRE ATT&CK techniques such as exploitation of public-facing applications (T1190), use of proxy tools (T1090), execution of PowerShell and Windows command shells (T1059.001, T1059.003), modification of registry keys (T1112), scheduled task creation for persistence (T1053, T1053.005), and discovery of system network configurations and security software (T1016, T1518.001). The ransomware encrypts data for impact (T1486) and may perform system shutdown or reboot to enforce encryption effects (T1529), while also clearing Windows event logs (T1070.001) to cover tracks. The use of chisel tools (both ELF and Windows variants) suggests tunneling or proxying capabilities to maintain covert communication channels. Although no known exploits in the wild are reported, the threat level is assessed as moderate (4 out of 10), with a low severity rating assigned by the source. The attack requires initial access to public-facing applications, which may be facilitated by misconfigurations or unpatched vulnerabilities. The lack of specific affected versions and patch links indicates that this is an open investigation or an intelligence report based on OSINT with moderate certainty (50%).

Potential Impact

For European organizations, especially those relying on Mitel MiVoice telephony systems, this threat poses risks to both operational continuity and data confidentiality. Compromise of telephony infrastructure can lead to unauthorized call usage, resulting in financial losses and potential exposure of sensitive communications. The ransomware component threatens data integrity and availability by encrypting critical files, potentially disrupting business operations. The use of advanced persistence and evasion techniques complicates detection and remediation efforts. Organizations in sectors with high reliance on unified communications, such as finance, healthcare, and government, may face amplified impacts. Additionally, the clearing of event logs and obfuscation tactics hinder forensic investigations, delaying incident response. The threat also raises concerns about insider risk and lateral movement within networks, as credential theft and remote desktop protocol exploitation are part of the attack methodology. Given the interconnected nature of European telecommunication and enterprise networks, a successful attack could propagate effects beyond a single organization, affecting supply chains and service providers.

Mitigation Recommendations

European organizations should implement targeted mitigations beyond generic advice: 1) Conduct thorough security assessments of Mitel MiVoice deployments, ensuring all components are updated to the latest vendor-recommended versions and configurations. 2) Harden public-facing applications by enforcing strict access controls, multi-factor authentication, and network segmentation to limit exposure. 3) Monitor telephony systems for anomalous call patterns and unauthorized usage to detect potential compromise early. 4) Deploy endpoint detection and response (EDR) solutions capable of identifying behaviors associated with credential dumping, PowerShell abuse, and scheduled task creation. 5) Implement robust logging and centralized log management with tamper-evident storage to prevent log clearing from hindering investigations. 6) Restrict use of remote desktop protocols and enforce just-in-time access with strong authentication. 7) Conduct regular threat hunting exercises focusing on indicators related to chisel tunneling tools and encrypted command and control channels. 8) Develop and test incident response plans specific to ransomware and telephony system compromises, including backup and recovery strategies that cover unified communications infrastructure. 9) Collaborate with Mitel and cybersecurity information sharing organizations to receive timely threat intelligence and patches.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
4
Analysis
0
Original Timestamp
1666603345

Threat ID: 682acdbebbaf20d303f0c209

Added to database: 5/19/2025, 6:20:46 AM

Last enriched: 7/2/2025, 7:58:43 AM

Last updated: 8/9/2025, 9:48:32 PM

Views: 21

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats