In April, Sapphire threat intelligence resources identified a sophisticated ransomware campaign utilising the Cring malware and leveraging vulnerability (CVE-2018-13379), identified in 2019 affecting Fortinet VPN Servers. This allows a threat actor to connect to the VPN appliance with no authentication and download session files containing usernames and passwords in clear text. Though this vulnerability has had a patch available since it was discovered, a list of known public-facing devices that were still vulnerable began to circulate around dark web forums in late 2020. The primary target of these attacks has been industrial enterprises located throughout Europe, with at least one resulting in the temporary closure of a production site.
Cring was first identified by Swisscom CSIRT in January 2021, but they were unable to conclusively determine how the ransomware was being distributed nor its pathology. After an investigation was performed on-site, the Fortinet vulnerability was identified as the initial point of entry.
The level of premeditation, planning and patience involved is indicative of APT activity in association with this campaign. Once the public facing device list had been acquired, a prolonged period of reconnaissance was performed, including testing the connection to the VPN servers to ensure credentials were still valid. After they had accessed the target system, ‘mimikatz’ was deployed to scrape administrator credentials. After achieving this goal, lateral movement within the system is possible and chances of detection by traditional IDS and AV becomes limited, as obfuscation and avoidance of security measures can now take place at will.
Finally, the Cring command & control server is contacted, downloading the ransomware and triggering it within the environment. From this point the operation behaves like a normal ransomware campaign a ‘*.readme’ file is available to the victim allowing for contact to be made and payment delivered to the attacker.
Industrial enterprises are often tempting targets for threat actors as IT infrastructure, especially security is generally given less importance than the safety, reliability and production capacities within these environments. Due to these constraints, prevention through best practice and regular patching are the most effective methods of protecting industrial sites from attackers without compromising functionality.
This recent Cring campaign is an example of how failing to perform these actions can ultimately lead to significant threats and potential downtime. Sapphire recommends implementing the following to minimise risk without impacting business.
- Software and firmware of any VPN gateways should be updated to the latest version
- Endpoint security solutions should be updated to the latest versions, with all recommended modules enabled
- Enforce organisation-wide RBAC policies and procedures
- Restrict VPN access between facilities and limit open ports to only those needed
- Store backups on a secure dedicated server
- Regularly test backup are working as expected
- Adopting Endpoint Detect and Response (EDR) and SIEM security solutions in both your IT and OT networks offers additional layers of protection and enables a proactive approach to cyber threats.
About the Author
Sapphire’s SOC team produced this article. Sapphire’s analysts are highly skilled and experienced security professionals. Our analysts focus on threat intelligence and threat analysis, integrating the two disciplines to offer an expert response to security events. This approach means that customers benefit from quick responses to complex security events, identifying gaps and areas of concern, reducing time to detect threats and threat dwell time.