Ransomware gangs have shown that they can play a long game, so it shouldn't come as a surprise to learn of one prepared to wait months to make use of a compromised system.
S-RM's Incident Response team shared details of a campaign attributed to the Lorenz ransomware group that exploited a specific vulnerability to plant a backdoor that wasnβt used until months later.
The Lorenz ransomware group first appeared on the radar in 2021. They have targeted organizations all over the world and are known to specialize in VoIP vulnerabilities to access their victimsβ environments. Like many ransomware groups, they steal their victimβs data before encrypting it, so they can add the threat of leaked data to the threat of encryption making it irrecoverable.
The researchers found in a specific case that the Lorenz group was able to exploit a vulnerability listed as CVE-2022-29499 a week prior to it being patched. This vulnerability, which has a CVSS score of 9.8 out of 10, exists in the Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 and allows remote code execution because of incorrect data validation. Essentially the vulnerability allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution.
After a vulnerability has been discovered and patched, it is not uncommon for organizations to wait for a convenient moment to apply the patch. But as soon as a patch is made available threat actors have the opportunity to reverse engineer it, find the vulnerability, create an exploit, and then scan for vulnerable systems. Its exactly this window of opportunity that the Lorenz ransomware group managed to exploit, in order to install a web shell on the vulnerable system. This web shell has a unique name and requires credentials to access the system.
The shell was placed some five months before the actual ransomware event, and sat dormant throughout that period. Whether the backdoor was created by an Initial Access Broker (IAB) and then sold on to the ransomware group or whether the Lorenz group created it themselves is unknown. But the results is the same.
The time between the compromise and the deployment of the ransomware can be explained by several theories.
Besides showing us how important it is to patch in a timely fashion, this vulnerability has shown us that patching alone is not always enough.
Victims were made with this vulnerability before there was a patch available. The vulnerability was found by investigating a suspected ransomware intrusion attempt, so there was at least one group that was able to use the vulnerability when it was still a zero-day.
The exploit details were published in June and the victim patched in July but was compromised a week prior to patching. So, the backdoor was planted during the time between the patch being released and it actually getting installed, the so called βpatch gapβ.
So, what else do we need to do in case we patch a vulnerable system? A difficult question with no easy cure-all answer. But there are some pieces of advice we can give:
We don't just report on threatsβwe remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.