Cring ransomware exploits vulnerability in FortiGate VPN servers

A ransomware attack by Cring exploited a vulnerability in Fortinet’s FortiGate VPN servers at one of the enterprises attacked, Kaspersky ICS CERT researchers have found. The targets of the Cring ransomware attacks include industrial enterprises in European countries. 

At least in one case, the ransomware attack resulted in a temporary shutdown of the industrial process running on the servers used to control the encryption, Kaspersky reported.

The Swisscom CSIRT warned about the Cring ransomware in a Twitter message in January this year, but it remained unclear how the ransomware infected an organization’s network. 

Kaspersky said that the main causes of the incident include the use of an outdated and vulnerable firmware version on the FortiGate VPN server at the time of the attack. This provided the attackers the opportunity to exploit the FortiGate VPN vulnerability and gain access to the enterprise network. The lack of timely antivirus database updates for the security solution used on attacked systems also played a key role, preventing the solution from detecting and blocking the threat. 

It should also be noted that some components of the antivirus solution were disabled, further reducing the quality of protection, Kaspersky pointed out. Other factors contributing to the incident’s development included the user account privilege settings configured in domain policies and the parameters of RDP access. RDP (Remote Desktop Protocol) is a network communications protocol developed by Microsoft, which allows users to remotely connect to another computer. 

Kaspersky also found that there were surprisingly no restrictions on access to different systems, enabling all users to access all systems. Such settings help attackers to distribute malware on the enterprise network more quickly, since compromising a single user account provides them with access to numerous systems.

“The attackers’ scripts disguised the activity of the malware as an operation by the enterprise’s antivirus solution and terminated the processes carried out by database servers (Microsoft SQL Server) and backup systems (Veeam) that were used on systems selected for encryption,” said Vyacheslav Kopeytsev, security expert, ICS CERT at Kaspersky. 

IBM had in its ‘IBM X-Force Threat Intelligence Index’ report, identified ransomware as the top contender in the threat category in 2020, accounting for 23 percent of security incidents that IBM Security X-Force responded to and helped remediate. Ransomware attackers increased the pressure to extort payment by combining data encryption with threats to leak the data on public sites. The success of these schemes helped one ransomware gang reap profits of over US$123 million in 2020, according to X-Force estimates.

The Fortinet vulnerability affects devices that run FortiOS versions 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12, and was used to extract the session file of the VPN Gateway, as the session file contains valuable information, such as the username and plaintext password, Kaspersky said. 

Unpatched FortiGate devices are vulnerable to a directory traversal attack, which allows an attacker to access system files on the FortiGate SSL VPN appliance. Specifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file, which contains the username and password stored in cleartext, it added. 

Several days before the start of the main attack phase, the attackers ran test connections to the VPN Gateway, in order to check that the vulnerable version of the software was used on the device. The attackers may have identified the vulnerable device by scanning IP addresses. Alternatively, they may have bought a ready-made list containing IP addresses of vulnerable FortiGate VPN Gateway devices. 

After gaining access to the first system on the enterprise network, the attackers downloaded the Mimikatz utility to that system, Kaspersky said. The utility was used to steal the account credentials of Windows users, who had previously logged in to the compromised system. 

With the help of the Mimikatz utility, the attackers were able to compromise the domain administrator account, after which they started distributing malware to other systems on the organization’s network, and began moving laterally.

The hackers used the Cobalt Strike framework for that purpose, and the Cobalt Strike module was loaded on attacked systems using the PowerShell, it added. After launching, the malicious PowerShell script decrypted the payload – the Cobalt Strike Beacon backdoor, which provided the attackers with remote control of the infected system. The IP address was specified as the Cobalt Strike Beacon command-and-control server.

Having gained control of the infected system, the attackers downloaded a ‘cmd’ script to the machine. The script was designed to download and launch the malware – the Cring ransomware.

Researchers said that the lack of timely database updates for the security solution used on attacked systems also played a key role, preventing the solution from detecting and blocking the threat. 

Kaspersky also highlighted that various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the attacked organization, and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage. The malware hosting server, for instance, from which the Cring ransomware was downloaded, had filtration by IP address enabled and only responded to requests from several European countries. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.