Security researchers warn that patching critical vulnerabilities allowing network access is insufficient to defend against ransomware attacks.
Some gangs exploit loopholes to plan a backdoor while the window of opportunity exists and may return long after the victim has applied the necessary security updates.
One case is a Lorenz ransomware attack that ended months after hackers gained access to the victim’s network using an exploit for a critical bug in a phone system.
Backdoor planted before security update
During an incident response engagement following a Lorenz ransomware attack, researchers from global intelligence and cybersecurity consulting firm S-RM determined that hackers penetrated the victim’s network five months prior to start moving laterally, stealing data and encrypting systems.
S-RM determined that hackers gained initial access by exploiting CVE-2022-29499, a Critical Vulnerability in Mitel Telephony Infrastructurewhich allows remote code execution.
The security issue was discovered last year during a CrowdStrike Services investigation into “a suspected ransomware intrusion attempt”. At that time, the vendor was unaware of the vulnerability and a to fix was yet to come.
S-RM researchers found that although their client applied the patch for CVE-2022-29499 in July, Lorenz ransomware hackers moved faster and exploited the vulnerability, and planted a backdoor a week before. the update that fixed the problem.
“They exploited vulnerabilities in two Mitel PHP pages on a CentOS system at the network perimeter, which allowed them to fetch a web shell from their own infrastructure and install it on the system” – S-RM
Although no vulnerable pages remained on the system, forensic analysis revealed that they were last accessed when the threat actor’s web shell was created on the victim machine.
The hackers tried to hide the backdoor by naming it “twitter_icon_>” and placed it in a legitimate location directory on the system.
The web shell is a single line of PHP code that listens for HTTP POST requests with two parameters: “id”, which together with the random string acts as credentials for system access, and “img”, which includes the commands to run. .
For five months, the web shell sat idle on the victim’s network. When hackers were ready to follow up on the attack, they used the backdoor and deployed Lorenz ransomware within 48 hours.
Check the intrusion before applying the critical bug fix
S-RM researchers say the long period of inactivity could suggest that the ransomware group bought its access to the victim’s network from a broker.
Another theory is that the Lorenz gang is organized enough to have a dedicated branch that gets initial access and protects it from possible hijacking by other intruders.
S-RM researchers Tim Geschwindt and Ailsa Wood say that threat actors usually take full advantage of a new vulnerability and attempt to find and compromise as many unpatched systems on the Internet only to return later to continue the attack.
They “assess that Lorenz is actively reverting to old backdoors, verifying that they still have access to them and using them to launch ransomware attacks.”
For this reason, the two researchers note that updating software to the latest version at the right time is always an important step in defending the network, but in the event of critical vulnerabilities, companies should also check their environment for attempts. exploitation and possible intrusions.
Examining logs, looking for unauthorized access or behavior, and checking network monitoring data for unexpected traffic could reveal an intrusion that would survive a security update.