6 January 2023

6 min read

S-RM identifies novel vulnerability exploited by Lorenz | Cyber Intelligence Briefing: 6 January

January 2023
S-RM identifies novel vulnerability exploited by Lorenz | Cyber Intelligence Briefing: 6 January placeholder thumbnail


Top news stories this week

  1. Threat hunting. S-RM identifies novel vulnerability exploited by Lorenz.
  2. LockBit releases free decryptor. Ransomware gang apologises to children’s hospital for affiliate attack. 
  3. Change your passwords. More details emerge on LastPass breach.
  4. Too risky? Zurich Group CEO warns cyber attacks may become uninsurable. 
  5. I spy. TikTok banned on US federal government devices after spying revelations.
  6. Hot off the press. The Guardian continues to suffer from suspected ransomware attack. 
  7. New extortion tactic. ALPHV/BlackCat ransomware group replicates victim's website to leak stolen data.


1. S-RM identifies novel vulnerability exploited by Lorenz 

S-RM’s Incident Response team recently observed the threat actor group Lorenz using a 5-month-old web shell (a malicious script that compromises the web server) as a way into a victim’s network and a foothold for a ransomware attack. 

While Lorenz has long exploited Mitel VoIP (internet telephony system) vulnerabilities, returning to backdoors that are several months old is new behaviour.

We have published a special edition of the Cyber Intelligence Briefing, where we explain the technical detail behind the vulnerability discovered, the current risk to businesses using Mitel VoIP and the mitigating actions to consider taking.


Cyber Security Insights Report


2. LockBit gives hospital free decryptor

LockBit ransomware group released a free decryptor to the Hospital for Sick Children in Toronto after an affiliate attack. LockBit issued a rare apology on their leak site and claimed that the partner is no longer part of their affiliate programme because they violated its policy, which prohibits ransomware attacks against medical institutions.

However, LockBit still appears to condone data theft from medical institutions and, despite their policy, has previously attacked hospitals, as seen in the attack on Center Hospitalier Sud Francilien.

So what?

The application of ransomware groups’ policies and questionable ethical standards remains inconsistent. Organisations must, regardless of the industry they operate in, remain resilient to ransomware attacks through proactive measures such as patching vulnerabilities and an endpoint detection and response solutions.



3. LastPass breach update

Password manager LastPass released an updated statement on the December 2022 breach. The statement confirmed that the threat actor may have gained access to customers’ encrypted password vaults although would still have required a valid master password to access stored passwords.

So what?

Password managers are an effective tool for storing passwords but are not immune to breaches. To avoid a compromise of LastPass vaults, accounts should be protected with complex and unique passwords as well as multifactor authentication.



4. Cyber insurability at risk

Zurich Insurance Group’s CEO warned that cyber attacks may eventually become uninsurable. He also supported the US and Australian governments’ efforts to discourage ransom payments to reduce attacks, citing Medibank’s refusal to pay hackers USD 15.6 million.

So what?

Organisations can consider an incident response retainer as an alternative or add on to cyber insurance. Read our latest report Cyber Security Insights Report 2022 for further advice on tackling the hard insurance market.


5. TikTok banned on US federal government devices after spying

Popular social media app TikTok has been banned on US federal government devices after its Chinese parent company ByteDance admitted to accessing private data in order to spy on US journalists. This comes only two months after TikTok denied its application could be used to track US citizens.

So what?

The risk posed by third party applications is greater for organisations that encourage employees to use their own devices for work purposes. Organisations should publish a robust Bring Your Own Device policy to address these risks.



6. Guardian attack

The Guardian continues to suffer from a reported ransomware attack that affected parts of its key technology infrastructure, including those controlling elements of the organisation’s internet. Although both online and print publications remain unaffected, staff in the UK, US, and Australia are required to work from home until 23 January until IT systems have been restored.

So what?

Media organisations are attractive targets for cyber criminals due to their highly publicised nature. Strong backup policies, network segmentation and a carefully thought out incident response plan should be in place to ensure minimal business disruption.



7. BlackCat adopts new extortion technique

The ALPHV/BlackCat ransomware group was observed using a new strategy to pressure victims into paying a ransom. The new tactic involves uploading stolen data to a replica of their victim's website. The cloned site is on the clear web and potentially exposes a breach to a wider audience.

So what?

Organisations can limit the impact of typosquatting by registering similar domains and redirecting these to their legitimate website. In addition they can also register alternative top-level domains, such as .com or .net, to prevent a threat actor from using them.


Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

Jon Seland
Jon Seland
Senior Analyst, Incident Response

Jon Seland is a cyber security senior analyst in S-RM’s incident response UK team. He has experience in a variety of ransomware and business email compromise incidents.

Jon holds a GCFE certification and a Master of Commerce in Occupational Psychology at Stellenbosch University.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

Jon Seland
Jon Seland

Senior Analyst, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.