Ransomware crooks are targeting vulnerable VPN devices in their attacks

Researchers at Kaspersky detail how hackers were able to get hands-on and compromise a whole network with Cring ransomware.
Written by Danny Palmer, Senior Writer

Cyber criminals are exploiting security vulnerabilities in VPN servers to encrypt networks with a new form of ransomware, and may have disrupted industrial facilities in the process.

The ransomware is detailed in a report by secuity company Kaspersky, following an investigation into a ransomware attack against an unspecified victim in Europe. 

At least one of the attacks targeting these facilities managed to encrypt industrial control servers with ransomware, resulting in the temporary shutdown of operations. Kaspersky did not identify the victim of the successful ransomware attack, or how the incident was recolved, but have detailed the ransomware that encrypted the network and how cyber criminals were able to gain access.

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

Known as Cring, the ransomware first appeared in January and exploits a vulnerability in Fortigate VPN servers (CVE-2018-13379). Fortinet issued a security patch to fix the vulnerability in 2019, but cyber criminals can still deploy the exploit against networks that have yet to apply the security update.

By exploiting unpatched VPN applications, attackers are able to remotely access the username and password, allowing them to manually login to the network.

From here, the attackers download Mimikatz, an open-source application to view and save authentication credentials, and use this to steal additional usernames and passwords to move laterally around the network and also deploy tools, including Cobalt Strike, a legitimate penetration software tool abused by attackers, to gain additional control over infected systems.

Then, with the aid of malicious PowerShell scripts, the attackers are able to encrypt all of the systems that have been compromised across the network with Cring ransomware. At this point, a note by the attackers tells the victim their network has been encrypted with ransomware and that a ransom needs to be paid in Bitcoin to restore the network.

While there's no information on how the incident at the European industrial facility was resolved, researchers note that the failure to apply the security patch to protect against a known vulnerability was the "primary cause" of the incident.

Other factors that allowed the attackers to deploy ransomware on the network include the lack of timely security updates applied to the antivirus software that's supposed to protect the network – and how some components of the antivirus were even turned off, reducing the ability to detect intrusions or malicious activity.

The way this particular network was configured also helped the attackers by allowing them to move between different systems that didn't all need to be on one network.

"There were no restrictions on access to different systems. In other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems," said Vyacheslav Kopeytsev, senior security researcher at Kasperky.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

To help protect networks from Cring ransomware attacks, it's recommended that Fortigate VPN servers are patched with the relevant security updates to prevent the known vulnerability from being exploited.

It's also recommended that VPN access is restricted to those who need it for operational reasons and that ports that don't need to be exposed to the open web are closed.

Researchers also suggest that critical systems are backed up offline, so if the worst happens and the network falls victim to a ransomware attack, it can be restored without the need to pay criminals.


Editorial standards