Threat actors are exploiting a Fortinet vulnerability flagged by the feds last week that delivers a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.
Researchers say the attackers are exploiting an unpatched path-reversal flaw, tracked as CVE-2018-13379, in Fortinet’s FortiOS. The goal is to gain access to victims enterprise networks and ultimately deliver ransomware, according to a report by Kaspersky researchers published this week.
“In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report.
Cring is relatively new to the ransomware threat landscape—which already includes dominant strains REvil, Ryuk, Maze and Conti. Cring was first observed and reported by the researcher who goes by Amigo_A and Swisscom’s CSIRT team in January. The ransomware is unique in that it uses two forms of encryption and destroys backup files in an effort to antagonize victims and prevent them from retrieving backup files without paying the ransom.
Last week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that nation-state advanced persistent threat (APT) groups were actively exploiting known security vulnerabilities in the Fortinet FortiOS operating system, affecting the company’s SSL VPN products.
One of those bugs, is CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to system’s SSL VPN web portal and allows an unauthenticated attacker to download system files of targeted systems via a specially crafted HTTP resource requests.
In its report Kaspersky echoed the feds’ warning adding attackers are first scanning connections to Fortinet VPNs to see if the software used on the device is the vulnerable version. In the campaign researchers observed, threat actors follow an exploit chain, exploiting CVE-2018-13379 to launch a directory-traversal attack. The goal is to crack open affected hardware, give adversaries access to network credentials and to establish foothold in the targeted network, Kopeytsev explained.
“A directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,” he wrote. “Specifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file ‘sslvpn_websession,’ which contains the username and password stored in cleartext.”
For it’s part, “the security of our customers is our first priority,” according to a statement from Fortinet provided to Threatpost. “For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers as recently as late as 2020. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”
Anatomy of an Attack
Once gaining access to the first system on the enterprise network, attackers use the Mimikatz utility to steal the account credentials of Windows users who had previously logged in to the compromised system, according to Kaspersky.
In this way, attackers compromised the domain administrator account, and then used commodity tools like Cobalt Stroke backdoor and Powershell to propagate attacks across various systems on the network, according to the report.
After gaining complete control, attackers download a cmd script to launch Cring ransomware, naming the malicious execution script “Kaspersky” to disguise it as a security solution, Kopeytsev said.
The report breaks down how Cring achieves encryption and destroys existing backup files once it’s launched on a system. First, the ransomware stops various services of two key programs on the network—Veritas NetBackup and Microsoft SQL server.
Cring also halts the SstpSvc service, which is used to create VPN connections, which researchers surmised was to block any remediation effort by system administrators, Kopeytsev said.
“It is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN,” he wrote. “This was done to prevent system administrators from providing a timely response to the information security incident.”
Cring proceeds by terminating other application processes in Microsoft Office and Oracle Database software to facilitate encryption as well as the removal of key backup files to prevent recovery of files, according to the report.
In its final step, Cring starts to encrypt files using strong encryption algorithms so victims can’t decrypt files without knowing the RSA private key held by the attackers, Kopeytsev explained. First each file is encrypted using an AES encryption key and then that key is in turn encrypted using a 8,192-bit RSA public key hard-coded into the malicious program’s executable file, he wrote.
Once encryption is complete, the malware drops a ransom note from attackers asking for two bitcoins (currently the equivalent of about $114,000) in exchange for the encryption key.
Learning from Mistakes
The report points out key mistakes made by network administrators in the attack observed by Kaspersky researchers in the hopes that other organizations can learn from them. First the attack highlights once again the importance of keeping systems updated with the latest patches, which could have avoided the incident altogether, Kopeytsev said.
“The primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network,” he wrote.
System administrators also left themselves open to attack by not only running an antivirus (AV) system that was outdated, but also by disabling some components of AV that further reduced the level of protection, according to the report.
Key errors in configuring privileges for domain policies and the parameteres of RDP access also came into play in the attack, basically giving attackers free rein once they entered the network, Kopeytsev observed.
“There were no restrictions on access to different systems,” he wrote. “In other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems.”
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.