Security experts have raised alarms regarding a series of targeted attacks aimed at unpatched Fortinet VPN devices, impacting industrial enterprises across Europe. These assaults are believed to have facilitated the deployment of a new ransomware variant known as “Cring” within corporate infrastructures.
According to a report from cybersecurity firm Kaspersky, at least one such incident resulted in the temporary shutdown of a production facility, although specific details about the affected organization remain undisclosed. The attacks were concentrated in the first quarter of 2021, specifically between January and March.
The intricate nature of these attacks suggests that adversaries meticulously analyzed the infrastructure of their targets, effectively orchestrating their malicious campaigns based on prior reconnaissance. Vyacheslav Kopeytsev, a researcher with Kaspersky ICS CERT, noted that various indicators point to a sophisticated level of planning by the attackers prior to executing their strategies.
This warning coincides with recent advisories from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), which highlighted that advanced persistent threat (APT) groups have been actively scanning for vulnerable Fortinet SSL VPN appliances, particularly those affected by the CVE-2018-13379 vulnerability.
CVE-2018-13379 pertains to a path traversal vulnerability within the FortiOS SSL VPN web portal that permits unauthenticated attackers to access arbitrary system files. Although patches were released in May 2019, Fortinet has acknowledged that a significant number of its VPN appliances remain unaddressed, with reports indicating that the IP addresses of these exposed devices have been circulated on the dark web.
In communications with The Hacker News, Fortinet emphasized that it has urged customers to update their appliances on multiple occasions since the original patch release. The company’s latest advisory highlights the importance of implementing necessary upgrades and mitigations promptly, as the exploitation of CVE-2018-13379 has been confirmed in the attacks on European enterprises.
The operational elements of the attacks, as detailed in Kaspersky’s findings, reveal that vulnerability exploitation led to the infiltration of target networks. Prior to the main attack, the hackers are suspected of conducting test connections to the VPN gateways to verify the validity of stolen credentials.
Once inside the system, attackers reportedly utilized tools such as Mimikatz to extract Windows user credentials from previous logins, which facilitated lateral movement across networks and ultimately enabled the deployment of the Cring ransomware using Cobalt Strike.
Discovered for the first time in early 2021, Cring encrypts selective files with strong encryption schemes after eliminating backup traces and terminating essential processes like those from Microsoft Office and Oracle Database. Following the encryption process, it generates a ransom note demanding payment in the form of two bitcoins.
The threat actors demonstrated a high level of operational security by obscuring their activities. For instance, they disguised malicious PowerShell scripts under the label “kaspersky” to evade detection and restricted their server’s response to requests originating from European nations only.
Kopeytsev remarked that their analysis revealed targeted strategies aimed at encrypting servers that would likely yield the most detrimental impact on the operations of the affected enterprises. This calculated approach underscores the sophisticated tactics employed by the attackers within the framework of MITRE ATT&CK, particularly in areas such as initial access, credential dumping, lateral movement, and execution.
In light of these developments, it remains crucial for businesses to reinforce their cybersecurity postures, particularly regarding the timely application of updates and vigilance against potential exploitations.
