How do today’s ransomware attackers find a way in?
In truth, there are numerous routes, some more obvious than others. The key for ransomware attackers is to find an initial staging post.
Often this is an employee—or more specifically, the employee’s network credentials—grabbed after a phishing attack. In other cases, it’s about finding an external service with privileges deeper in the network, services such as RDP, SSH, FTP, or even VPN servers.
And then there are occasions where the attackers simply go direct to the data itself by hijacking devices such as NAS storage drives. Manufacturer QNAP is the most prominent example here, as it has experienced a wave of attacks during 2022 after suffering software vulnerabilities.
One layer not normally seen as being at risk is the phone system. That’s good for attackers, because anything defenders ignore automatically becomes a bigger target.
What stands out about this campaign is not simply the use of VoIP, but the surprising level of access compromising a PBX server can allow once a compromise has been achieved.
The attack exploits CVE-2022-29499, a vulnerability in Mitel’s MiVoice VoIP appliance, which means that this particular campaign is specific to those systems, which are widely used by U.S. companies.
Once the attackers have achieved reverse shell by exploiting this flaw, they download the Chisel tool to create a SOCKs tunnel, akin to a malicious VPN. This makes it hard to block or detect malicious traffic at firewall level.
After that, they use a utility to search inside Active Directory for the sort of credentials that might allow elevated privileges to compromise other resources. Any data they find is encrypted using BitLocker, as well as exfiltrated.
What do attacks like this tell us about the vulnerability of VoIP to ransomware?
First, it reminds us that VoIP PBX servers are just servers, like any other. They connect via the Internet and, from time to time, suffer critical software vulnerabilities.
It’s also likely that a lot of smaller companies using these systems don’t monitor them adequately. That might explain why in June security researcher Kevin Beaumont reported finding 19,000 Mitel VoIP servers vulnerable to the flaw being exploited in the Lorenz campaign.
Mitel first patched the flaw in April, with a follow up to this in June. Clearly, having a patch and applying it in a timely way are not the same thing in many organizations.
It’s not as if the interest in VoIP systems is entirely new. In March, we reported on DDoS attacks targeting VoIP systems as an extra extortion tactic.
Arctic Wolf’s advice is to monitor these systems for software flaws, which are now being discovered on a reasonably regular basis. They also recommend turning on logging so that unusual access to a VoIP server is more likely to be noticed.
Most important of all, forget the image of business phone systems as being harmless throwbacks. The era of the copper PSTN phone line is long gone. VoIP systems are now an important digital risk, and their security should be taken seriously.