8 April 2021

New Cring ransomware exploits a vulnerability in Fortigate VPN servers


New Cring ransomware exploits a vulnerability in Fortigate VPN servers

A threat actor behind a relatively new human-operated ransomware strain is exploiting unpatched Internet-exposed Fortinet Fortigate SSL VPN servers in order to gain access to targets’ networks, the latest report from Kaspersky reveals.

Dubbed Cring (Crypt3r, Vjiszy1lo, Ghost, Phantom), the ransomware, which was discovered and reported by Swisscom CSIRT in January 2021, targets Fortigate VPN servers affected CVE-2018-13379, a path traversal vulnerability that allows unauthenticated attackers to obtain a session file that contains the username and plaintext password for the VPN.

According to Kaspersky, victims of the Cring ransomware attacks included industrial enterprises in European countries, and at least in one instance the attack “resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.”

“The attackers may have identified the vulnerable device themselves by scanning IP addresses. Alternatively, they may have bought a ready-made list containing IP addresses of vulnerable Fortigate VPN Gateway devices,” the researchers noted.

Upon compromising a target’s network, a live Cring operator conducts reconnaissance and deploys a customized version of the Mimikatz tool in an attempt to extract domain administrator credentials stored in server memory. The Cobalt Strike beacon is then used to install the Cring ransomware. To mask the attack, the installation files are disguised as security products from Kaspersky or other vendors.

To be able to encrypt database files and remove backup copies, the Cring ransomware terminates a number of processes, including Microsoft Office and Oracle Database processes, as well as the SstpSvc service, which is used to create VPN connections.

“It is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN. This was done to prevent system administrators from providing a timely response to the information security incident,” Kaspersky said.

Cring encrypts only specific files on the compromised devices using strong encryption algorithms (RSA-8192 + AES-128) after removing backup files with the extensions such as .VHD, .bac, .bak, .wbcat, .bkf, .set, .win, and .dsk.

“Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the attacked organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,” the researchers said.

“An analysis of the attackers’ activity demonstrates that, based on the results of reconnaissance performed on the attacked organization’s network, they chose to encrypt those servers the loss of which the attackers believed would cause the greatest damage to the enterprise’s operations.”

Back to the list

Latest Posts

Member of FIN7 cybercrime group sentenced to 10 years in prison

Member of FIN7 cybercrime group sentenced to 10 years in prison

Fedir Hladyr served as a manager and systems administrator for FIN7.
19 April 2021
NSA, CISA and FBI expose 5 security vulnerabilities exploited by nation-state hackers

NSA, CISA and FBI expose 5 security vulnerabilities exploited by nation-state hackers

Russia-linked hackers are using vulnerabilities in popular enterprise equipment to gain access to corporate networks.
19 April 2021
WordPress says it will treat Google’s FLoC ad tracking technology as security issue

WordPress says it will treat Google’s FLoC ad tracking technology as security issue

While FLoC is more private than cookies, security experts argue that the technology could pose a risk to privacy if not implemented right.
19 April 2021