New Cring ransomware deployed targeting unpatched Fortinet VPN devices

Attackers are actively exploiting the CVE-2018-13379 flaw in Fortinet VPN to deploy the Cring ransomware to organizations in the industrial sector.

Threat actors are actively exploiting the CVE-2018-13379 vulnerability in Fortinet VPNs to deploy a new piece of ransomware, tracked as Cring ransomware (also known as Crypt3r, Vjiszy1lo, Ghost, Phantom), to organizations in the industrial sector.

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

The Cring ransomware appeared in the threat landscape in January, it was first reported by Amigo_A and the CSIRT team of Swisscom. This ransomware encrypts data from victims with AES-256 +  RSA-8192 and then demands a ~ 2 BTC ransom to get the files back.

“An incident investigation conducted by Kaspersky ICS CERT experts at one of the attacked enterprises revealed that attacks of the Cring ransomware exploit a vulnerability in Fortigate VPN servers.” reads the post published by Kaspersky.

“Victims of these attacks include industrial enterprises in European countries. At least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.”

Once gained access to a system within the target network, the attackers downloaded the Mimikatz utility to steal the credentials of Windows users who logged in to the compromised system.

Upon compromising the domain administrator account, threat actors could distributee malware to other systems on the same network. Attackers also used the Cobalt Strike post-exploitation framework to deploy the ransomware.

In one case, the ransomware infection of servers used to control the industrial process caused a temporary shutdown of the process.

“The primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network.” continues Kaspersky.

“The lack of timely antivirus database updates for the security solution used on attacked systems also played a key role, preventing the solution from detecting and blocking the threat. It should also be noted that some components of the antivirus solution were disabled, further reducing the quality of protection. Other factors contributing to the incident’s development included the user account privilege settings configured in domain policies and the parameteres of RDP access.“

Kaspersky also shared Indicators of compromise (IOCs) in its report.

Early April, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint alert to warn of attacks carried out by APT groups targeting Fortinet FortiOS servers using multiple exploits.

The threat actors are actively exploiting the following vulnerabilities in Fortinet FortiOS:

• CVE-2018-13379;
• CVE-2020-12812;
• CVE-2019-5591If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet VPN)

[adrotate banner=”5″]

[adrotate banner=”13″]