Lorenz Backdoor: How Ransomware Gangs Are Exploiting Old Vulnerabilities to Plant Malware
Security Experts Warn that Patching Isn’t Enough to Protect Against Ransomware Attacks.
Last updated on January 11, 2023
Researchers warn that patching critical vulnerabilities that allow network access is not enough to prevent ransomware attacks.
Some gangs exploit the flaws to plan a backdoor malware while they still have the opportunity, and they may return long after the victim has applied the necessary security updates.
In one case, hackers exploited a critical bug in a telephony system to gain access to the victim’s network and launch the Lorenz ransomware attack.
A Backdoor Was Installed Before the Security Update
During an incident response engagement to a Lorenz ransomware attack, researchers determined that hackers breached the victim network five months before they started to move laterally, steal data, and encrypt systems.
A critical vulnerability in the Mitel telephony infrastructure, CVE-2022-29499, allowed the hackers to gain initial access to the system.
Despite their client applying the CVE-2022-29499 patch in July, the Lorenz ransomware hackers exploited the vulnerability and planted a backdoor a week before the patch was applied.
On a CentOS system on the network perimeter, they exploited vulnerabilities in two Mitel PHP pages, which allowed them to retrieve a web shell from their infrastructure and install it on the system.
The threat actor’s web shell was created on the victim machine even though no vulnerable pages remained on the system.
In the web shell, a single line of PHP code listens for HTTP POST requests with two parameters: “id,” which, together with the random string, serves as credentials, and “img,” which contains the commands to be executed.
The long inactivity time may indicate that the ransomware group purchased access to the victim’s network from a broker, according to S-RM researchers.
According to another theory, the Lorenz gang is sufficiently organized to have a dedicated branch that obtains initial access and protects it from hijacking by others.
Threat actors typically exploit new vulnerabilities to compromise as many unpatched systems as possible, then return later to continue the attack.
Lorenz is actively returning to old backdoors, checking they still have access, and using them to launch ransomware attacks.
According to researchers, updating software at the right time is still essential in defending the network. However, companies should monitor their environments for potential intrusions and exploitation attempts when critical vulnerabilities are detected.
An intrusion could be detected by reviewing logs, looking for unauthorized access or behavior, and checking network monitoring data for unexpected traffic.
Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.