Ransomware Gang Exploits Old Fortinet VPN FlawKaspersky: 'Cring' Group Targeting European Organizations
The gang behind ransomware dubbed "Cring," which has waged a series of attacks this year, is exploiting a Fortinet VPN server vulnerability that the company patched in 2019, according to a report from the security firm Kaspersky that analyzes one attack in Europe.
The researchers report that the ongoing campaign, which began in January, exploits the Fortigate VPN server flaw tracked as CVE-2018-13379 to gain initial access. Once in the victim's environment, the attackers encrypt data and then demand a ransom of two bitcoins ($113,768) for decrypting the files.
Kaspersky researchers investigated a successful Cring intrusion at a manufacturing organization in Europe. The attack resulted in a temporary shutdown of the industrial process due to servers used to control the process becoming encrypted, the security firm reports.
The series of Cring attacks was first identified by Switzerland's Swisscom CSIRT [Computer Security Incident Response Team] in a Jan. 26 tweet. The agency said the malware is a human-operated strain that deploys additional components for intrusion.
CRING a new strain deployed by human operated ransomware actors. After the actors have established initial access, they drop a customized Mimikatz sample followed by #CobaltStrike. The #CRING #ransomware is then downloaded via certutill. ^mikehttps://t.co/v5h8eqHCPt pic.twitter.com/fkU2USEZis— Swisscom CSIRT (@swisscom_csirt) January 26, 2021
Kaspersky says the malware exploits CVE-2018-13379, an improper pathname vulnerability in Fortinet's operating system, FortiOS, to gain initial access. The exploit enables an unauthenticated attacker to download system files via special crafted HTTP resource requests.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI warned that unidentified nation-state actors have been scanning for Fortinet vulnerabilities since March (see: FBI and CISA: APT Groups Targeting Government Agencies).
The Cring attackers apparently begin their operations by scanning for vulnerable FortiOS IP addresses, but they might have purchased the vulnerable IP addresses after they appeared for sale in a darknet forum last year, Kaspersky says (see: CISA Warns of Password Leak on Vulnerable Fortinet VPNs).
In its analysis of one intrusion, Kaspersky says the attackers exploited the CVE-2018-13379 vulnerability to gain access to the enterprise network. "The vulnerability was used to extract the session file of the VPN Gateway," the report notes. "The session file contains valuable information, such as the username and plaintext password."
After gaining initial access, the attackers downloaded Mimicatz, an open-source application that allowed users to view and save authentication credentials. Using this application, the attackers then stole the account credentials of Windows users who had previously logged into the compromised system, the report adds.
The attackers then compromised the domain administrator account and started distributing malware to other systems on the organization’s network. A malicious PowerShell was then launched; it decrypted the payload, which provided the attackers remote control of the infected system.
"After gaining control of the infected system, the attackers downloaded a cmd script to the machine. The script is designed to download and launch the Cring ransomware," the report notes.
The malware then encrypted the files in the victim’s computer and displayed a ransomware note demanding two bitcoins in exchange for the file decryption, the report adds.
Advanced Evasion Tactics
Kaspersky notes the attackers used evasion techniques to stay undetected.
For example, the malware hosting server from which the Cring ransomware was downloaded only responded to requests from certain European countries.
The attackers also disguised the malware operation as an antivirus solution used by the victims, which terminated the processes of database servers' backup systems in the infected systems.
"The lack of timely antivirus database updates for the security solution used on attacked systems also played a key role, preventing the solution from detecting and blocking the threat," the report notes. "Other factors contributing to the incident’s development included the user account privilege settings configured in domain policies and the parameters of RDP access."
Commenting on an earlier exploit of the flaw, Fortinet told Information Security Media Group: "CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020. … If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”