Lorenz ransomware gang plants backdoors to use months later

Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks.

Some gangs are exploiting the flaws to plan a backdoor while the window of opportunity exists and may return long after the victim applied the necessary security updates.

One case is a Lorenz ransomware attack that reached completion months after the hackers gained access to the victim’s network using an exploit for a critical bug in a telephony system.

Backdoor planted before security update

During an incident response engagement to a Lorenz ransomware attack, researchers at global intelligence and cyber security consulting company S-RM determined that the hackers had breached the victim network five months before starting to move laterally, steal data, and encrypt systems.

S-RM determined that the hackers gained initial access by exploiting CVE-2022-29499, a critical vulnerability in the Mitel telephony infrastructure, which allows remote code execution.

The security issue was discovered last year in an investigation from CrowdStrike Services into “a suspected ransomware intrusion attempt.” At that time, the vendor did not know about the vulnerability and a fix had yet to come.

S-RM researchers found that while their client had applied the patch for CVE-2022-29499 in July, the Lorenz ransomware hackers moved faster and exploited the vulnerability, and planted a backdoor a week before the update that fixed the issue.

“They leveraged vulnerabilities within two Mitel PHP pages on a CentOS system on the network perimeter, which allowed them to retrieve a web shell from their own infrastructure and install it on the system” – S-RM

Although no vulnerable pages had remained on the system, forensic analysis revealed that they had been last accessed when the threat actor’s web shell was created on the victim machine.

The hackers tried to hide the backdoor by naming it “twitter_icon_>” and placed it in a legitimate location directory on the system.

The web shell is a single line of PHP code that listens for HTTP POST requests with two parameters: “id,” which, together with the random string acts as credentials for system access, and “img,” which includes the commands to be executed. 

Lorenz ransomware backdoor planted after exploiting CVE-2022-29499
PHP web shell planted by Lorenz ransomware under the name “twitter_icon_
source: S-RM

For five months, the web shell lay dormant on the victim network. When the hackers were ready to follow through with the attack, they used the backdoor and deployed the Lorenz ransomware in 48 hours.

Check for intrusion before applying critical bug fix

The S-RM researchers say that the long inactivity time could suggest that the ransomware group purchased their access to the victim network from a broker.

Another theory is that the Lorenz gang is sufficiently organized to have a dedicated branch that obtains initial access and protects it against possible hijacking by other intruders.

S-RM researchers Tim Geschwindt and Ailsa Wood say that threat actors typically take full advantage of a new vulnerability and try to find and compromise as many unpatched systems on the internet only to return at a later time to continue the attack.

They “assess that Lorenz is actively returning to old backdoors, checking they still have access and using them to launch ransomware attacks.”

For this reason, the two researchers note that updating software to the latest version at the right time is still an important step in defending the network but in the case of critical vulnerabilities, companies should also check their environment for exploit attempts and possible intrusions.

Reviewing logs, looking for unauthorized access or behavior, and checking network monitoring data for unexpected traffic could reveal an intrusion that would survive a security update.

Source link