Cybercriminals are targeting unsecured Fortinet VPN servers in order to infect European industrial organizations with a new family of ransomware, called Cring.
While the Swisscom Computer Security Incident Response Team (CSIRT) previously warned of the Cring ransomware being deployed by human operated actors in January, at the time it was unclear how the ransomware initially infected organizations’ networks. Research from Kaspersky released this week now points to cybercriminals exploiting a flaw in Fortinet’s Fortigate VPN servers, in order to then deploy the ransomware.
“Victims of these attacks include industrial enterprises in European countries,” Vyacheslav Kopeytsev, senior security researcher with Kaspersky, said. “At least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.”
While conducting an incident investigation on two facilities that were successfully attacked, Kaspersky researchers found that cybercriminals had targeted CVE-2018-13379, a previously-disclosed path traversal vulnerability in the FortiOS SSL VPN web portal. Unauthenticated and remote attackers could exploit this flaw to download FortiOS system files by making specially-crafted HTTP resource requests. From there, they could access a file, “sslvpn_websession,” which contains usernames and passwords stored in cleartext, said researchers.
When the vulnerability was first disclosed in 2019, Fortinet issued a patch in FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. Fortinet has also published a series of advisories over the years urging users to update to protect against the flaw. More recently, last week the FBI and Cybersecurity & Infrastructure Security Agency (CISA) released a joint advisory warning of advanced persistent threat (APT) actors targeting CVE-2018-13379 "to gain initial access to multiple government, commercial, and technology services."
“The security of our customers is our first priority," a Fortinet spokesperson said. "Upon resolution we have consistently communicated with customers as recently as April 2021."
Further investigation into the Cring ransomware attack revealed careful reconnaissance by the cybercriminals. The attackers performed test connections to the VPN Gateway, seemingly to check that the device was using a vulnerable software version. They also carefully analyzed the victim’s infrastructure and used this information to prepare their own infrastructure and toolsets.
“The attackers may have identified the vulnerable device themselves by scanning IP addresses,” said Kopeytsev. “Alternatively, they may have bought a ready-made list containing IP addresses of vulnerable Fortigate VPN Gateway devices. In autumn 2020, an offer to buy a database of such devices appeared on a dark web forum.”
Upon exploiting the flaw, attackers then downloaded Mimikatz, an offensive tool often used to retrieve cleartext passwords, which they leveraged to steal Windows account credentials and ultimately compromise the account of the domain administrator.
Then, a malicious PowerShell script was deployed across other systems on the network, which then decrypted a Cobalt Strike Beacon backdoor and gave attackers remote control over the infected systems. Attackers also downloaded a cmd script onto compromised machines, which then deployed a PowerShell (called “kaspersky” in an attempt to cloak its malicious activity as that of security solutions, said researchers). Finally, the Cring ransomware was downloaded and launched. The Cring ransomware halted various database servers (such as Microsoft SQL) and backup systems that were used on systems selected for encryption, said Kopeytsev.
“If they manage to steal the domain administrator's credentials (as in this case), they get almost unlimited control over all systems in the organization's network."
The ransomware then targeted various files for encryption, including .zip, .rar, .doc, .ndf (Microsoft SQL Server secondary database files), .ora (Oracle database files) extensions and various others.
“The malware started to encrypt files using strong encryption algorithms, which means that files could not be decrypted without knowing the RSA private key held by the attackers,” said Kopeytsev. “Each file was encrypted using AES and the AES encryption key was in turn encrypted using an RSA public key hard-coded into the malicious program’s executable file. The RSA key size was 8,192 bits.”
The ransom note, saved in the file !!!!WrReadMe!!!.rtf, asked victims to pay a ransom of two Bitcoins (currently worth about $115,482). For the incident analyzed by Kaspersky, Kopeytsev confirmed that servers were restored from backups with some data loss, but that no ransom was paid. He noted, researchers have no evidence to point to any specific threat actor behind the attack.
The impact of such ransomware attacks are particularly detrimental to industrial organizations that rely on critical systems. For instance, a 2019 ransomware attack on Norwegian aluminum maker Norsk Hydro forced the company to shut down several plants. The Cring ransomware has a similar impact, as the attack forced impacted organizations to halt the industrial process, said Kopeytsev.
“If they manage to steal the domain administrator's credentials (as in this case), they get almost unlimited control over all systems in the organization's network,” said Kopeytsev. “As we have seen, encrypting some critical systems allows attackers to temporarily stop production.”
As the campaign started in January and is still ongoing, Kopeytsev urged organizations to deploy updates for the years-old Fortinet vulnerability. Other best practices include updating any anti-malware protection solutions to the latest versions and changing active directory policies so that users may only log into systems that are required by their operational needs.
“The primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network,” Kopeytsev said.