8 April 2021

New Cring ransomware exploits a vulnerability in Fortigate VPN servers


New Cring ransomware exploits a vulnerability in Fortigate VPN servers

A threat actor behind a relatively new human-operated ransomware strain is exploiting unpatched Internet-exposed Fortinet Fortigate SSL VPN servers in order to gain access to targets’ networks, the latest report from Kaspersky reveals.

Dubbed Cring (Crypt3r, Vjiszy1lo, Ghost, Phantom), the ransomware, which was discovered and reported by Swisscom CSIRT in January 2021, targets Fortigate VPN servers affected CVE-2018-13379, a path traversal vulnerability that allows unauthenticated attackers to obtain a session file that contains the username and plaintext password for the VPN.

According to Kaspersky, victims of the Cring ransomware attacks included industrial enterprises in European countries, and at least in one instance the attack “resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.”

“The attackers may have identified the vulnerable device themselves by scanning IP addresses. Alternatively, they may have bought a ready-made list containing IP addresses of vulnerable Fortigate VPN Gateway devices,” the researchers noted.

Upon compromising a target’s network, a live Cring operator conducts reconnaissance and deploys a customized version of the Mimikatz tool in an attempt to extract domain administrator credentials stored in server memory. The Cobalt Strike beacon is then used to install the Cring ransomware. To mask the attack, the installation files are disguised as security products from Kaspersky or other vendors.

To be able to encrypt database files and remove backup copies, the Cring ransomware terminates a number of processes, including Microsoft Office and Oracle Database processes, as well as the SstpSvc service, which is used to create VPN connections.

“It is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN. This was done to prevent system administrators from providing a timely response to the information security incident,” Kaspersky said.

Cring encrypts only specific files on the compromised devices using strong encryption algorithms (RSA-8192 + AES-128) after removing backup files with the extensions such as .VHD, .bac, .bak, .wbcat, .bkf, .set, .win, and .dsk.

“Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the attacked organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,” the researchers said.

“An analysis of the attackers’ activity demonstrates that, based on the results of reconnaissance performed on the attacked organization’s network, they chose to encrypt those servers the loss of which the attackers believed would cause the greatest damage to the enterprise’s operations.”

Back to the list

Latest Posts

Chinese hackers reportedly behind hundreds cyber attacks in Japan

Chinese hackers reportedly behind hundreds cyber attacks in Japan

The attacks targeted nearly 200 companies and organizations in Japan, including the country's space agency and defence firms.
20 April 2021
Lazarus APT has found a clever way to conceal its malicious code

Lazarus APT has found a clever way to conceal its malicious code

The hacker group is now using BMP images to drop its RAT.
20 April 2021
Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Hackers have used Bash Uploader to gain access to hundreds of networks belonging to the company’s customers.
20 April 2021