Get in Touch Close Menu

CRING RANSOMWARE

22 April 2021

What is CRING ransomware?

In April 2021, Sapphire’s threat intelligence resources identified a sophisticated ransomware campaign utilising the Cring malware and leveraging vulnerability (CVE-2018-13379), identified in 2019, affecting Fortinet VPN Servers. 

The cring ransomware attack allowed a threat actor to connect to the VPN appliance with no authentication and download session files containing usernames and passwords in cleartext.

 

ransomware infection

Cring was first identified by Swisscom CSIRT in January 2021, but they were unable to conclusively determine how the r

Though this cyber-attack has had a patch available since it was discovered, a list of known public-facing devices that were still vulnerable began to circulate dark web forums in late 2020. 

The primary target of this type of cyber attack has been industrial enterprises located throughout Europe, with at least one resulting in the temporary closure of a production site.

When was CRING Ransomware first identified?

The Swisscom CSIRT first identified Cring ransomware in January 2021, but they could not conclusively determine how the ransomware was being distributed or its pathology. 

After an investigation was performed on-site, the Fortinet vulnerability was identified as the initial entry point.

ransomware attacks

The level of premeditation, planning and patience involved indicates APT activity in association with this campaign. 

So what happened?

Once the public-facing device list had been acquired, a prolonged reconnaissance was performed, including testing the connection to the VPN servers to ensure credentials were still valid. 

After they had accessed the target system, ‘mimikatz’ was deployed to scrape administrator credentials. 

After achieving this goal, lateral movement within the system is possible.

The chances of detection by traditional IDS and AV become limited, as obfuscation and avoidance of security measures can now occur at will.

cring operators exploited

Finally, the Cring command & control server is contacted, downloading the ransomware and triggering it within the environment. 

From this point, the operation behaves like a typical ransomware campaign a ‘*.readme’ file is available to the victim allowing for contact to be made and payment delivered to the attacker.

Industrial enterprises are often tempting targets for threat actors as IT infrastructure, especially security, is generally less important than the safety, reliability and production capacities within these environments. 

Due to these constraints, prevention through best practice and regular patching are the most effective methods of protecting industrial sites from attackers without compromising functionality.

Who are the Cring ransomware developers?

Cring ransomware developers are focusing on industrial enterprises, where they intend to suspend production processes and result in financial losses. It has been speculated that the cring ransomware group are based in  Belarus and Ukraine.

What was the impact in the UK?

Hackers have also accessed and published the session internet address (or IPs )relating to the unpatched devices throughout the United Kingdom, putting a significant number of UK devices in danger of exploitation.

What does Sapphire recommend?

This recent Cring campaign exemplifies how failing to perform these actions can ultimately lead to significant threats and potential downtime.

Sapphire recommends implementing the following to minimise risk without impacting businesses.

encrypted files
  • Software and firmware of any VPN gateways should be updated to the latest version
  • Endpoint security solutions should be updated to the latest versions, with all recommended modules enabled
  • Enforce organisation-wide RBAC policies and procedures
  • Restrict VPN access between facilities and limit open ports to only those needed
  • Store backups on a secure dedicated server
  • Regularly test backups are working as expected
  • Adopting Endpoint Detect and Response (EDR) and SIEM security solutions in both your IT and OT networks offers additional layers of protection and enables a proactive approach to cyber threats.

Further updates by the NCSC

In April 2021, the following update was given by the National Cyber Security Council:

APT actors are still actively scanning for CVE-2018-13379 and attempting to exploit it.

In addition, CISA and the FBI have evidence that APTs are actively scanning for and exploiting two other Fortinet vulnerabilities, CVE-2020-12812 and CVE-2019-5591, and have published a joint CISA/FBI report.

The NCSC’s advice to organisations remains to ensure that the latest security updates are installed as soon as possible for all vulnerabilities.

How can Sapphire support my organisation against this vulnerability?

Sapphire’s analysts are highly skilled and experienced security professionals.

tech talent shortage

Our analysts focus on threat intelligence and threat analysis, integrating the two disciplines to offer an expert response to security events. 

With Sapphire customers benefit from quick responses to:

  • complex security events
  • identifying gaps and areas of concern
  • reducing time to detect threats and threat dwell time

With a tech talent shortage, many organisations are finding a gap in their cybersecurity strategy that needs filling.

Want to know how Sapphire can help your organisation?

Contact our team today.

I agree to the terms & conditions

Related Articles

Outsource Cybersecurity: Expectations vs Reality
12 January 2022

Sapphire has designed its UK-based Security Operations Centre (SOC) to help organisations respond quickly to threats and receive the optimum cyber security protection available today. Organisations across the UK benefit from Sapphire’s twenty-five years of experience from network monitoring to vulnerability management and incident response. Sapphire security analysts have a wealth of knowledge.

Find Out More
How do Endpoint Security Solutions Secure Data?
7 January 2022

When a device connects to business networks, cybercriminals may use this connection to compromise corporate data and put the network at risk. This means that these endpoint devices need to be fully secured to prevent any potential incidents from happening. To do this, organisations must ensure that they are utilising appropriate solutions to protect the front line of their cybersecurity

Find Out More
Endpoint Protection: What is NDR, EDR & XDR?
30 December 2021

‘What are the differences between these three types of detection and response?’ Unlike legacy security tools, network detection and response don’t rely on signature-based security tools. They often can’t detect new cyber attacks unless these signatures have already been recognised as cyber attacks on a network. However, NDR works to monitor and analyse networks via built-in response capabilities.  

Find Out More