Contents:
Researchers warn that patching critical vulnerabilities that allow network access is not enough to prevent ransomware attacks.
Some gangs exploit the flaws to plan a backdoor malware while they still have the opportunity, and they may return long after the victim has applied the necessary security updates.
In one case, hackers exploited a critical bug in a telephony system to gain access to the victim’s network and launch the Lorenz ransomware attack.
A Backdoor Was Installed Before the Security Update
During an incident response engagement to a Lorenz ransomware attack, researchers determined that hackers breached the victim network five months before they started to move laterally, steal data, and encrypt systems.
A critical vulnerability in the Mitel telephony infrastructure, CVE-2022-29499, allowed the hackers to gain initial access to the system.
Despite their client applying the CVE-2022-29499 patch in July, the Lorenz ransomware hackers exploited the vulnerability and planted a backdoor a week before the patch was applied.
On a CentOS system on the network perimeter, they exploited vulnerabilities in two Mitel PHP pages, which allowed them to retrieve a web shell from their infrastructure and install it on the system.
The threat actor’s web shell was created on the victim machine even though no vulnerable pages remained on the system.
In the web shell, a single line of PHP code listens for HTTP POST requests with two parameters: “id,” which, together with the random string, serves as credentials, and “img,” which contains the commands to be executed.
The long inactivity time may indicate that the ransomware group purchased access to the victim’s network from a broker, according to S-RM researchers.
According to another theory, the Lorenz gang is sufficiently organized to have a dedicated branch that obtains initial access and protects it from hijacking by others.
Threat actors typically exploit new vulnerabilities to compromise as many unpatched systems as possible, then return later to continue the attack.
Lorenz is actively returning to old backdoors, checking they still have access, and using them to launch ransomware attacks.
According to researchers, updating software at the right time is still essential in defending the network. However, companies should monitor their environments for potential intrusions and exploitation attempts when critical vulnerabilities are detected.
An intrusion could be detected by reviewing logs, looking for unauthorized access or behavior, and checking network monitoring data for unexpected traffic.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.