The operators of Cring ransomware have been conducting a series of damaging attacks on industrial targets and control systems (ICS) after apparently acquiring a list of users of Fortinet’s FortiGate VPN server who had not bothered to patch a dangerous vulnerability.
First identified and fixed some time ago, CVE-2018-13379 is a path traversal vulnerability in several versions of the FortiOS operating system that could allow an unauthenticated attacker to download system files by making specially crafted HTTP resource requests.
The campaign of ransomware attacks was first highlighted earlier in 2021 by telco Swisscom’s CSIRT, but an incident investigation by the ICS CERT team at security firm Kaspersky has now uncovered the means by which Cring is arriving at its targets. Victims to date are mostly industrial enterprises in Europe – in at least one case, Cring caused a temporary shutdown of a live production site.
Vyacheslav Kopeytsev, one of Kaspersky’s ICS CERT experts, said the Cring gang had proved adept at targeting their victims.
“Various details of the attack indicate that the attackers had carefully analysed the infrastructure of the targeted organisation and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,” he said.
“For example, the host server for the malware from which the Cring ransomware was downloaded had infiltration by IP address enabled and only responded to requests from several European countries. The attackers’ scripts disguised the activity of the malware as an operation by the enterprise’s antivirus solution and terminated the processes carried out by database servers (Microsoft SQL Server) and backup systems (Veeam) that were used on systems selected for encryption.
“An analysis of the attackers’ activity demonstrates that, based on the results of the reconnaissance performed on the attacked organisation’s network, they chose to encrypt those servers which the attackers believed would cause the greatest damage to the enterprise’s operations if lost.”
Highlighting the importance of timely patching, the Kaspersky investigation found that someone had offered for sale a ready-made list containing the IP addresses of vulnerable devices facing the internet, on the dark web in autumn 2020. Using this, the attackers were able to connect to vulnerable appliances through the internet and remotely access a session file containing the username and password in clear text.
Before injecting Cring, the gang performed test connections to their target VPN gateways to make sure the stolen credentials were still good. Then, after gaining access to the first system on their victim network, they used the Mimikatz open source utility to obtain administrator credentials, after which they could easily move laterally through the network, gain control of ICS operations, and launch the ransomware.
Kaspersky said a lack of timely database updates for the security solution used on attacked systems also played a key role in making life easier for the cyber criminals, preventing defences from detecting and blocking the threats. Also, in some instances, components of antivirus solutions had been disabled by the attacked organisations.
To avoid falling victim to any further attacks via this method, Kopeytsev advised FortiGate users to: keep their VPN Gateway firmware, as well as endpoint protection and databases, fully updated to the latest versions; ensure all modules of endpoint protection services are switched on; tighten active director policies; restrict VPN access between sites and close ports that are not operationally required; and take the usual precautions to safeguard against ransomware.
Kopeytsev’s full analysis of the campaign can be read and downloaded at Kaspersky’s ICS CERT website.
The research comes less than a week after the US Cybersecurity and Infrastructure Security Agency issued a joint advisory alongside the FBI warning security teams of an increased likelihood of exploitation of Fortinet FortiOS vulnerabilities, including CVE-2018-13379, by advanced persistent threat (APT) groups.
The advisory said malicious actors were using these vulnerabilities to gain initial access to multiple government, commercial and technology services. Security teams should take a moment to review further information and mitigations here.