Cring ransomware targets industrial and business systems through vulnerability in VPN servers

Published: Tuesday, 13 April 2021 08:18

In early 2021, threat actors conducted a series of attacks using the Cring ransomware. Until recently it remained unclear how the ransomware infects an organization’s network but an incident investigation conducted by Kaspersky ICS CERT experts at one of the attacked enterprises revealed that attacks by Cring ransomware exploit a vulnerability in VPN servers. Victims of these attacks include industrial enterprises in European countries. At least in one case, an attack by the ransomware resulted in a temporary shutdown of a production site.

In 2019, the CVE-2018-13379 vulnerability in Fortigate VPN servers became known. The issue was addressed and patched, however, not all the devices were updated – and offers to buy a ready-made list containing IP addresses of Internet-facing vulnerable devices started appearing on Dark Web forums beginning autumn 2020. With this, an unauthenticated attacker can connect to the appliance through the Internet and remotely access the session file, which contains the username and password stored in clear text.

Kaspersky’s ICS CERT experts found that in the series of Cring ransomware attacks, the threat actor exploited the CVE-2018-13379 vulnerability to gain access to the enterprise’s network.

According to Kaspersky’s investigation of an attacked organization:

“Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage. For example, the host server for the malware from which the Cring ransomware was downloaded had infiltration by IP address enabled and only responded to requests from several European countries. The attackers’ scripts disguised the activity of the malware as an operation by the enterprise’s antivirus solution and terminated the processes carried out by database servers (Microsoft SQL Server) and backup systems (Veeam) that were used on systems selected for encryption.

“Based on the results of the reconnaissance performed on the attacked organization’s network, the attackers chose to encrypt those servers which the attackers believed would cause the greatest damage to the enterprise’s operations if lost,” said Vyacheslav Kopeytsev, security expert, ICS CERT at Kaspersky.

To keep systems protected from this threat, Kaspersky experts recommend: