Cring ransomware attacked industrial sites through a vulnerability in VPN servers
In early 2021, cybercriminals armed with the Cring ransomware attacked industrial plants in Europe. Swisscom CSIRT researchers mentioned these attacks, but it was not known exactly how the ransomware got into the network of organizations.
An investigation into the incident conducted by Kaspersky ICS CERT experts at one of the attacked enterprises revealed that the attacks exploited a vulnerability in the Fortigate VPN servers.Industrial enterprises in European countries were among the victims of the attackers. In at least one case, the ransomware attack led to a temporary halt in production at two Italian factories of an international industrial holding that is headquartered in Germany.
In a series of attacks, attackers exploited the CVE-2018-13379 vulnerability in Fortigate VPN servers to gain initial access to the enterprise network. This vulnerability allows an unauthenticated attacker to connect to the device and remotely access a session file that contains the username and password in the cleartext.
Manufacturer has fixed an issue in 2019, but not all updates were installed. In the fall 2020, offers to purchase a database of IP addresses of vulnerable devices began to appear on the darknet.
During the investigation, it turned out that some time before the start of the main phase of the attack, the attackers made test connections to the VPN gateway, apparently to make sure that the authentication data stolen during the attack on the VPN server remained up to date.
On the day of the attack, having gained access to the first system on the corporate network, Cring operators used Mimikatz to steal Windows user accounts that had previously logged on to the compromised computer. With its help, the cybercriminals were lucky enough to immediately steal the credentials of the domain administrator.
After a short reconnaissance, the attackers have chosen several systems that they considered important for the functioning of an industrial enterprise, and immediately downloaded and launched the Cring ransomware on them.
“Various details of the attack indicate that the attackers thoroughly examined the infrastructure of the attacked organization, and then prepared their toolkit based on the information collected during the reconnaissance phase. For example, attackers’ scripts masqueraded malware activity as a security solution used in the enterprise, and terminated the processes of database servers (Microsoft SQL Server) and backup systems (Veeam) used on systems that were selected for encryption. Analysis of the actions of the attackers shows that for the encryption were selected servers, the loss of access to which, according to the attackers, could cause maximum damage to the operation of the enterprise”, — comments Vyacheslav Kopeytsev, senior expert at Kaspersky ICS CERT.
Let me remind you that we talked about the Black Kingdom ransomware attacks ProxyLogon vulnerabilities.