Cring Ransomware Attack
By William Beard, Jr on April 29, 2021
(By: William Beard on April 29, 2021)
Executive Summary
Kaspersky reported that several European industrial enterprises were attacked using the Cring ransomware in early 2021. These attacks used a Fortigate Virtual Private Network (VPN) vulnerability designated CVE-2018-13379. This same vulnerability was also used to access election support systems during the United States 2020 election according to the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
Vulnerability
CVE-2018-13379 is an improper limitation of a pathname to a restricted directory vulnerability in some Fortigate VPN server versions. This vulnerability allows the attacker to remotely penetrate the Fortigate VPN appliance through the internet and gain access to the “sslvpn_websession” file that contains usernames and passwords stored in cleartext.
Impact
After gaining access to the first level of the systems through the Forigate vulnerability the attackers would then download the “Mimikatz Utility” and “Cobalt Strike Beacon”. The attackers used these malicious programs to steal more Windows user credentials and grant them remote control over the infected systems.
Mitigation
It is recommended that if you are running Fortinet FortiOS version 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 that you update them to the latest versions. It is also recommended that you keep any antimalware tools updated with to latest versions. Limiting users and systems to only be able to connect to those systems that are needed for operational use is also recommended. Lastly, keeping secure backups of critical systems on separate servers can allow you to quarantine an infected system with little production loss.
Relevance
The Cring ransomware attack continues to show us how vulnerable our industrial systems are to Advance Persistent Threats (APT). These APT’s are always looking for new and old ways to penetrate systems, steal information and disrupt operations. One of the victims of this current attack was shut down due to the servers that controlled their industrial process being encrypted by the attackers. A lot of the older industrial systems have not kept up with the times when it comes to cyber security and APT’s are exploiting these missteps more and more each day.
References
[1] www.ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/#_Toc67921522.
[2] www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain.