Cring Ransomware Group makes headlines again with a new hit. Worn-out ColdFusion servers and VPNs: the new targets.
Cring Ransomware Group: Short Background
In April 2021, we were writing about how new ransomware dubbed Cring was exploiting CVE-2018-13379, a flaw located in Fortinet VPNs. Traced back to January, when it first become noticeable, its operators made use of PowerShell scripts that helped them to achieve payload deciphering and the Mimikatz utility to perform credentials theft.
In a previous incident, Cring operators exploited a two-year-old FortiGate VPN vulnerability to target end-of-life Microsoft and Adobe applications. This should be a wake-up call for system owners everywhere who are using end-of-life or otherwise unsupported systems that are exposed to the internet at large. (…) While Cring has operators that have used Mimikatz on systems to gain credentials, there’s also evidence of native Windows process usage, which potentially blends in with otherwise legitimate activity.
Cring Ransomware Group Abuses Adobe ColdFusion
Back in September this year, a report was published by the Sophos’ researchers where they explained how Cring ransomware was used to target a flaw located in the Adobe ColdFusion 9. The mentioned installation was no less than 11 years old, being an open door for hackers who managed to perform a Coldfusion server remote takeover.
The same report from Sophos attributed the attack to Ukraine and Belarus-based threat actors.
How did the attack unfold?
As researchers’ discovery states, the Cring ransomware cyberattack on the Adobe ColdFusion 9 went off like this:
- by means of a personal automated tool, cybercriminals started to look for 9,000 pathways in the system of the organization, and this in no less than 75 seconds;
- they found a flaw located in the Adobe program 3 minutes later and started exploiting it;
- they got hold of sensitive files among which they chose the “password properties” file and made sure to scribble code on top of their footprints;
- then, after 2 days and a half, they reached the organization’s network again and through admin rights published a ransom note.
- through this, before ransomware execution, cybercriminals obtained payroll timesheets and accounting information.
- as the same researchers said, the threat actors hid their files through advanced techniques, performed memory code injection, and also made sure not to leave traces by using the files’ overwriting technique.
- then, via the ransom note, they threatened with stolen data leakage if the ransom is not paid.
Outdated Software: Always a Risk
Andrew Brandt, one of the researchers involved in the Adobe cyber attack investigation emphasized the risks outdated software poses for an organizations’ infrastructure.
In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date, and unpatched software. The surprising thing is that this server was in active daily use. But, regardless of what the status is — in use or inactive — unpatched internet-facing servers or other devices are prime targets for cyber attackers scanning a company’s attack surface for vulnerable entry points. This is a stark reminder that IT administrators benefit from having an accurate inventory of all their connected assets and cannot leave out-of-date critical business systems facing the public internet. If organizations have these devices anywhere on their network, they can be sure that cyber attackers will be attracted to them. Don’t make life easy for cybercriminals.
How to Stay Safe?
We at Heimdal™ are always updated with the latest cybersecurity trends out there. Outdated software will do no good, making your business face ransomware attacks that might not only make you lose money but also have sensitive data publicly exposed. With an automated Patch and Asset Management solution, you can have accurate control over your whole software inventory. Our tool tests patches against your business systems compatibility, it cleans them from adware, and repackages them and you have brand new vendor patches ready to be installed in less than 4 hours. How cool is that? Give it a try, save you time, and do not let hackers benefit from aging software flaws.
If you enjoyed this article, because we know that you surely did, don’t forget to follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram to never miss a thing we post!