Industrial enterprises in Europe are target of campaign, which forced a shutdown of industrial processes in at least 1 of its victims’ networks, according to researchers.
Threat players are exploiting a Fortinet vulnerability flagged by the US Feds last week that delivers a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.
Researchers say the attackers are exploiting an unpatched path-reversal flaw, tracked as CVE-2018-13379, in Fortinet’s FortiOS. The goal is to gain access to victims enterprise networks & ultimately deliver ransomware, states a report by Kaspersky researchers published this week.
“In at least in 1 case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kaspersky Senior Security Researcher Vyacheslav Kopeytsev wrote in the report.
Cring is relatively new to the ransomware threat landscape—which already includes dominant strains REvil, Ryuk, Maze & Conti. Cring was 1st observed & reported by the researcher who goes by Amigo_A & Swisscom’s CSIRT team in January. The ransomware is unique in that it uses 2 forms of encryption & destroys backup files in an effort to annoy victims & prevent them from retrieving backup files without paying the ransom.
Last week, the FBI & the US Cyber-security & Infrastructure Security Agency (CISA) warned that nation-state advanced persistent threat (APT) groups were actively exploiting known security vulnerabilities in the Fortinet FortiOS operating system, affecting the company’s SSL VPN products.
One of those bugs, is CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to system’s SSL VPN web portal & allows an unauthenticated attacker to download system files of targeted systems via a specially crafted HTTP resource requests.
In its report Kaspersky echoed the feds’ warning adding attackers are 1st scanning connections to Fortinet VPNs to see if the software used on the device is the vulnerable version. In the campaign researchers observed, threat players follow an exploit chain, exploiting CVE-2018-13379 to launch a directory-traversal attack.
The goal is to crack open affected hardware, give adversaries access to network credentials to establish foothold in the targeted network, Kopeytsev explained.
“A directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,” he wrote. “Specifically, an unauthenticated attacker can connect to the appliance through the internet & remotely access the file ‘sslvpn_websession,’ which contains the username & password stored in cleartext.”
For its part, “the security of our customers is our 1st priority,” according to a statement from Fortinet. “For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory & communicated directly with customers & via corporate blog posts on multiple occasions in Aug. 2019 & July 2020 strongly recommending an upgrade.
Upon resolution we have consistently communicated with customers as recently as late as 2020. If customers have not done so, we urge them to immediately implement the upgrade & mitigations.”
Anatomy of an Attack
Once gaining access to the 1st system on the enterprise network, attackers use the Mimikatz utility to steal the account credentials of Windows users who had previously logged in to the compromised system, states Kaspersky.
In this way, attackers compromised the domain administrator account, & then used commodity tools like Cobalt Stroke backdoor & Powershell to propagate attacks across various systems on the network, according to the report.
After getting complete control, attackers download a cmd script to launch Cring ransomware, naming the malicious execution script “Kaspersky” to disguise it as a security solution, Kopeytsev commented.
The report breaks down how Cring achieves encryption & destroys existing backup files once it is launched on a system. 1st, the ransomware stops various services of 2 key programs on the network—Veritas NetBackup & Microsoft SQL server.
Cring also halts the SstpSvc service, which is used to create VPN connections, which researchers surmised was to block any remediation effort by system administrators, Kopeytsev outlined.
“It is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN,” he wrote. “This was done to prevent system administrators from providing a timely response to the information security incident.”
Cring proceeds by terminating other application processes in Microsoft Office & Oracle Database software to facilitate encryption as well as the removal of key backup files to prevent recovery of files, according to the report.
In its final step, Cring starts to encrypt files using strong encryption algorithms so victims cannot decrypt files without knowing the RSA private key held by the attackers, Kopeytsev explained. 1st, each file is encrypted using an AES encryption key & then that key is in turn encrypted using an 8,192-bit RSA public key hard-coded into the malicious program’s executable file, he commented.
When encryption is complete, the malware drops a ransom note from attackers asking for 2 bitcoins (currently the equivalent of about $114,000) in exchange for the encryption key.
Learning from Errors
The report points out key mistakes made by network administrators in the attack observed by Kaspersky researchers in the hopes that other organisations can learn from them. 1st the attack highlights once again the importance of keeping systems updated with the latest patches, which could have avoided the incident altogether, Kopeytsev explained.
“The primary causes of the incident include the use of an outdated & vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability & gain access to the enterprise network,” he wrote.
Open to Attack
System administrators also left themselves open to attack by not only running an antivirus (AV) system that was outdated, but also by disabling some components of AV that further reduced the level of protection, states the report.
Key errors in configuring privileges for domain policies & the parameters of RDP access also came into play in the attack, basically giving attackers free rein once they entered the network, Kopeytsev observed.
“There were no restrictions on access to different systems,” he wrote. “In other words, all users were allowed to access all systems.
Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just 1 user account provides them with access to numerous systems.”