Ransomware gangs have shown that they can play a long game, so it shouldn’t come as a surprise to learn of one prepared to wait months to make use of a compromised system.
S-RM’s Incident Response team shared details of a campaign attributed to the Lorenz ransomware group that exploited a specific vulnerability to plant a backdoor that wasn't used until months later.
The Lorenz ransomware group first appeared on the radar in 2021. They have targeted organizations all over the world and are known to specialize in VoIP vulnerabilities to access their victims' environments. Like many ransomware groups, they steal their victim's data before encrypting it, so they can add the threat of leaked data to the threat of encryption making it irrecoverable.
The researchers found in a specific case that the Lorenz group was able to exploit a vulnerability listed as CVE-2022-29499 a week prior to it being patched. This vulnerability, which has a CVSS score of 9.8 out of 10, exists in the Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 and allows remote code execution because of incorrect data validation. Essentially the vulnerability allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution.
After a vulnerability has been discovered and patched, it is not uncommon for organizations to wait for a convenient moment to apply the patch. But as soon as a patch is made available threat actors have the opportunity to reverse engineer it, find the vulnerability, create an exploit, and then scan for vulnerable systems. Its exactly this window of opportunity that the Lorenz ransomware group managed to exploit, in order to install a web shell on the vulnerable system. This web shell has a unique name and requires credentials to access the system.
The shell was placed some five months before the actual ransomware event, and sat dormant throughout that period. Whether the backdoor was created by an Initial Access Broker (IAB) and then sold on to the ransomware group or whether the Lorenz group created it themselves is unknown. But the results is the same.
The time between the compromise and the deployment of the ransomware can be explained by several theories.
- The backdoor was planted by an IAB that waited for the right offer to sell off their access to the compromised system.
- When an easy to exploit vulnerability is available, a group will first compromise as many systems as possible and later work their way through the list of victims.
- With the initial breach the threat actor replaced several key artefacts on the perimeter CentOS system, effectively blocking the creation of any additional logging or audit data. After a while old logs will be deleted and no new ones are created, which improves the attacker's chances of going in undetected.
Besides showing us how important it is to patch in a timely fashion, this vulnerability has shown us that patching alone is not always enough.
Victims were made with this vulnerability before there was a patch available. The vulnerability was found by investigating a suspected ransomware intrusion attempt, so there was at least one group that was able to use the vulnerability when it was still a zero-day.
The exploit details were published in June and the victim patched in July but was compromised a week prior to patching. So, the backdoor was planted during the time between the patch being released and it actually getting installed, the so called "patch gap".
So, what else do we need to do in case we patch a vulnerable system? A difficult question with no easy cure-all answer. But there are some pieces of advice we can give:
- Keep the patch gap as small as possible. We know it’s not easy, but it helps a lot.
- Check vulnerable devices before and after patching for indicators of compromise (IOCs). They may not always be available, but when it concerns a vulnerability that's known to have been exploited you may be able to find the IOCs or figure out where to look.
- Constant monitoring. If you didn’t find the backdoor, make sure you have the capabilities to find the tools threat actors use for lateral movement, and block the final payload (ransomware in this case).
- Look for unauthorized access or atypical behavior originating from the recently patched device/system.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.