Cring ransomware infects industrial targets through vulnerability in VPN servers
Woburn, MA – April 7, 2021 – In early 2021, threat actors conducted a series of attacks on industrial enterprises in Europe, using the Cring ransomware. The attacks were mentioned by Swisscom CSIRT, but it remained unclear how the ransomware was infecting networks. An incident investigation conducted by Kaspersky ICS CERT experts at one of the attacked enterprises revealed that attacks by Cring ransomware exploited a vulnerability in VPN servers. In at least one case, an attack by the ransomware resulted in a temporary shutdown of a production site.
In 2019, the CVE-2018-13379 vulnerability in Fortigate VPN servers became known, and the issue was addressed and patched. However, not all the devices were updated, and offers to sell a ready-made list containing IP addresses of internet-facing vulnerable devices started appearing on dark web forums beginning autumn 2020. With such an IP address, an unauthenticated attacker can connect to the appliance through the internet and remotely access the session file, which contains a username and password stored in clear text.
Incident response conducted by Kaspersky ICS CERT experts revealed that in the series of Cring ransomware attacks, the threat actor exploited the CVE-2018-13379 vulnerability to gain access to the target networks.
Investigation showed that, some time prior to the main phase of the operation, the attackers performed test connections to the VPN Gateway, apparently in order to make sure that the stolen user credentials for the VPN were still valid.
On the attack day, after gaining access to the first system on the enterprise network, the attackers used the Mimikatz utility to that system. The utility was used to steal the account credentials of Windows users who had previously logged in to the compromised system.
The attackers then compromised the domain administrator account, after which they started propagating to other systems on the organization’s network, abusing the fact that the administrator had rights to access all systems on the network with the single user account.
After doing reconnaissance and gaining control of the systems valuable for the industrial enterprise operations, the attackers downloaded and launched the Cring ransomware.
According to the researchers, the lack of timely database updates for the security solution used on the attacked systems also played a key role, preventing the solution from detecting and blocking the threat. It should also be noted that some components of the antivirus solution were disabled, further reducing the quality of protection.
“Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,” said Vyacheslav Kopeytsev, security expert, ICS CERT at Kaspersky. “For example, the host server for the malware from which the Cring ransomware was downloaded had infiltration by IP address enabled and only responded to requests from several European countries. The attackers’ scripts disguised the activity of the malware as an operation by the enterprise’s antivirus solution and terminated the processes carried out by database servers (Microsoft SQL Server) and backup systems (Veeam) that were used on systems selected for encryption. An analysis of the attackers’ activity demonstrates that, based on the results of the reconnaissance performed on the attacked organization’s network, they chose to encrypt those servers which the attackers believed would cause the greatest damage to the enterprise’s operations if lost,”
Read more about the investigation on the Kaspersky ICS CERT website.
To keep systems protected from this threat, Kaspersky experts recommend:
- Keep VPN Gateway firmware updated to the latest versions.
- Keep endpoint protection solutions and their databases updated to the latest versions.
- Make sure that all modules of endpoint protection solutions are always enabled – as recommended by the vendor.
- Make sure the active directory policy only allows users to log in to those systems which are required by their operational needs.
- Restrict VPN access between facilities and close all ports that are not required by operational needs.
- Configure the backup system to store backup copies on a dedicated server.
- To further enhance your organization’s resistance to potential ransomware attacks, consider implementing Endpoint Detection and Response security solutions on both your IT and OT networks.
- Use Managed Detection and Response services to get immediate access to the highest-level of skills and knowledge from professional security experts.
- Use dedicated protection for industrial processes. Kaspersky Industrial CyberSecurity protects industrial nodes and enables OT network monitoring to reveal and stop malicious activity.
About Kaspersky ICS CERT
Kaspersky Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT) is a global project launched by Kaspersky in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. Kaspersky ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats. ics-cert.kaspersky.com
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Sawyer Van Horn