According to researchers, industrial Enterprises in Europe have been the campaign’s target, forcing a shutdown of industrial processes in one of the victim’s networks.
Cybercriminals exploit a Fortinet vulnerability signaled by the feds last week that addresses a new ransomware strain, dubbed Cring. It currently targets industrial enterprises across Europe.
Vulnerability specialists spectate that the attackers exploit an unpatched path-reversal flaw, tracked as CVE-2018-13379, in Fortinet’s FortiOS. Kaspersky researchers published a report this week stating that the goal is to gain access to victim’s corporate networks and ultimately deliver ransomware.
“In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” reported Vyacheslav Kopeytsev, Kaspersky senior security researchers.
With the advent of the new ransomware threat, Cring already incorporates dominant strains Ryuk, REvil, Conti, and Maze. Amigo_A and Swisscom’s CSIRT team were the first to observe and report Cring in January. Cring is unique as it uses two different forms of encryption and destroys backup files to anger victims and prevent them from restoring backup files without paying the ransom.
The (CISA) Cybersecurity and Infrastructure Security Agency and the FBI informed that Nation-State Advanced Persistent Threat (APT) groups actively exploited known Security Vulnerabilities in the Fortinet FortiOS, affecting the organization’s SSL VPN products last week.
CVE-2018-13379 is one of the bugs; it is considered a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to the system’s SSL VPN web portal. It allows an unauthenticated attacker to download system files of targeted systems via specially crafted HTTP resource requests.
According to the report, Kaspersky warned the feds’ stating that the attackers first scan the networks to Fortinet VPNs to see if the software version used and the device is the vulnerable version. Cybersecurity vulnerability specialists observed that cybercriminals follow an exploit chain while exploiting CVE-2018-13379 to initiate a directory-traversal attack. The aim is to crack open affected hardware, give adversaries access to network credentials, and establish a firm footing in the targeted network, as per the Kopeytsev report.
“A directory-traversal attack allows an attacker to access system files on the Foregate SSL VPN appliance,” Kopeytsev wrote. “Specifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file ‘sslvpn_websession,’ which contains the username and password stored in cleartext.”
For its part, “the security of our customers is our priority,” according to Fortinet’s statement. “For Example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on upgrade. Upon resolution, we have consistently communicated with customers as recently as late as 2020. If customers have not done so, we urge them to implement the upgrade and mitigations immediately.”
Anatomy of an Attack
According to Kaspersky, once the cybercriminals gain access to any system on the network, they use the Mimikatz Utility to steal the account credentials of Users who had previously logged in to the compromised device.
By going through this approach, cybercriminals compromise the domain administrator account. The report used commodity tools like Cobalt Stroke backdoor and Powershell to propagate attacks across various systems on the network.
Once the Cybercriminal gains complete control, they download a CMD script to launch Cring Ransomware, naming the malicious executable script as ‘Kaspersky.exe’ to disguise it as a security solution, Kopeytsev said.
Kaspersky’s report also breaks down how Cring Ransomware achieves encryption and destroys the backup files once it is launched on a system. Firstly, the ransomware stops multiple services of two critical programs on the network – Microsoft SQL Server and Veritas NetBackup.
Cring also stops the Secure Socket Tunneling Protocol Service (SstpSvc), used to create VPN connections. Cybersecurity specialists surmised a way to block any remediation effort by System Administrators, Kopeytsev reported.
“It is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN,” Kopeytsev wrote. “Cybercriminals did this to prevent system administrators from providing a timely response to the information security incident.”
According to the report, Cring proceeds by terminating other application processes in Microsoft Office and Oracle Database software to facilitate the encryption and removal of crucial backup files to prevent file recovery.
In the final step, Cring begins file encryption using robust encryption algorithms. Hence, victims cannot decrypt files without knowing the RSA Private key held by the cybercriminals, Kopeytsev explained. Initially, each file is encrypted by an AES encryption key. The encryption key is further encrypted with the help of an 8,192-bit RSA public key, hard-coded into the malicious program’s executable file, Kopeytsev wrote.
Once the encryption is complete, the malware leaves a ransom note from cybercriminals asking for two Bitcoins (currently equivalent to about $116,000) in exchange for the Decryption Key.
Learning from Mistakes
The report points out critical misjudgments made by network administrators in the cyberattack witnessed by Kaspersky Cybersecurity specialists in the hopes that other organizations can learn from them. First, the attack highlights the significance of keeping systems updated with the latest updates and patches, which might have avoided the incident altogether, Kopeytsev reported.
“The primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (Cybercriminals used version 6.0.2 at the time of the attack). It enables the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network,” he wrote.
System administrators also exposed themselves to the attack by running an outdated antivirus (AV) system and disabling some critical AV components that further decreased protection level, as per the Kopeutsev report.
Significant errors in configuring privileges for domain policies and RDP access parameters also came into play during the cyberattack, basically giving attackers free rein once they breached the network, Kopeytsev reported.
“There were no restrictions on access to different systems,” he wrote. “In other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly since successfully compromising just one user account provides them with access to numerous systems.”
