New Cring ransomware deployed targeting unpatched Fortinet VPN devices

Attackers are actively exploiting the CVE-2018-13379 flaw in Fortinet VPN to deploy the Cring ransomware to organizations in the industrial sector.

Threat actors are actively exploiting the CVE-2018-13379 vulnerability in Fortinet VPNs to deploy a new piece of ransomware, tracked as Cring ransomware (also known as Crypt3r, Vjiszy1lo, Ghost, Phantom), to organizations in the industrial sector.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

The Cring ransomware appeared in the threat landscape in January, it was first reported by Amigo_A and the CSIRT team of Swisscom. This ransomware encrypts data from victims with AES-256 +  RSA-8192 and then demands a ~ 2 BTC ransom to get the files back.

“An incident investigation conducted by Kaspersky ICS CERT experts at one of the attacked enterprises revealed that attacks of the Cring ransomware exploit a vulnerability in Fortigate VPN servers.” reads the post published by Kaspersky.

“Victims of these attacks include industrial enterprises in European countries. At least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.”

Once gained access to a system within the target network, the attackers downloaded the Mimikatz utility to steal the credentials of Windows users who logged in to the compromised system.

Upon compromising the domain administrator account, threat actors could distributee malware to other systems on the same network. Attackers also used the Cobalt Strike post-exploitation framework to deploy the ransomware.

New Cring ransomware deployed targeting unpatched Fortinet VPN devices

In one case, the ransomware infection of servers used to control the industrial process caused a temporary shutdown of the process.

“The primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network.” continues Kaspersky.

“The lack of timely antivirus database updates for the security solution used on attacked systems also played a key role, preventing the solution from detecting and blocking the threat. It should also be noted that some components of the antivirus solution were disabled, further reducing the quality of protection. Other factors contributing to the incident’s development included the user account privilege settings configured in domain policies and the parameteres of RDP access.

Kaspersky also shared Indicators of compromise (IOCs) in its report.

Early April, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint alert to warn of attacks carried out by APT groups targeting Fortinet FortiOS servers using multiple exploits.

The threat actors are actively exploiting the following vulnerabilities in Fortinet FortiOS:

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet VPN)

The post New Cring ransomware deployed targeting unpatched Fortinet VPN devices appeared first on Security Affairs.

By admin