What is CRING ransomware?
In April 2021, Sapphire’s threat intelligence resources identified a sophisticated ransomware campaign utilising the Cring malware and leveraging vulnerability (CVE-2018-13379), identified in 2019, affecting Fortinet VPN Servers.
The cring ransomware attack allowed a threat actor to connect to the VPN appliance without authentication and download session files containing usernames and passwords in cleartext.
Cring was first identified by Swisscom CSIRT in January 2021, but they were unable to conclusively determine how the r
Though this cyber-attack has had a patch available since it was discovered, a list of known public-facing devices that were still vulnerable began to circulate dark web forums in late 2020.
The primary target of this type of cyber attack has been industrial enterprises located throughout Europe, with at least one resulting in the temporary closure of a production site.
When was CRING Ransomware first identified?
The Swisscom CSIRT first identified Cring ransomware in January 2021, but they could not conclusively determine how the ransomware was being distributed or its pathology.
After an investigation was performed on-site, the Fortinet vulnerability was identified as the initial entry point.
The level of premeditation, planning and patience involved indicates APT activity in association with this campaign.
So what happened?
Once the public-facing device list had been acquired, a prolonged reconnaissance was performed, including testing the connection to the VPN servers to ensure credentials were still valid.
After they had accessed the target system, ‘mimikatz’ was deployed to scrape administrator credentials.
After achieving this goal, lateral movement within the system is possible.
The chances of detection by traditional IDS and AV become limited, as obfuscation and avoidance of security measures can now occur at will.
Finally, the Cring command & control server is contacted, downloading the ransomware and triggering it within the environment.
From this point, the operation behaves like a typical ransomware campaign a ‘*.readme’ file is available to the victim allowing for contact to be made and payment delivered to the attacker.
Industrial enterprises are often tempting targets for threat actors as IT infrastructure, especially security, is generally less important than the safety, reliability and production capacities within these environments.
Due to these constraints, prevention through best practice and regular patching are the most effective methods of protecting industrial sites from attackers without compromising functionality.
Who are the Cring ransomware developers?
Cring ransomware developers are focusing on industrial enterprises, where they intend to suspend production processes and result in financial losses. It has been speculated that the cring ransomware group are based in Belarus and Ukraine.
What was the impact in the UK?
Hackers have also accessed and published the session internet address (or IPs )relating to the unpatched devices throughout the United Kingdom, putting a significant number of UK devices in danger of exploitation.
What does Sapphire recommend?
This recent Cring campaign exemplifies how failing to perform these actions can ultimately lead to significant threats and potential downtime.
Sapphire recommends implementing the following to minimise risk without impacting businesses.
- Software and firmware of any VPN gateways should be updated to the latest version
- Endpoint security solutions should be updated to the latest versions, with all recommended modules enabled
- Enforce organisation-wide RBAC policies and procedures
- Restrict VPN access between facilities and limit open ports to only those needed
- Store backups on a secure dedicated server
- Regularly test backups are working as expected
- Adopting Endpoint Detect and Response (EDR) and SIEM security solutions in both your IT and OT networks offers additional layers of protection and enables a proactive approach to cyber threats.
Further updates by the NCSC
In April 2021, the following update was given by the National Cyber Security Council:
APT actors are still actively scanning for CVE-2018-13379 and attempting to exploit it.
In addition, CISA and the FBI have evidence that APTs are actively scanning for and exploiting two other Fortinet vulnerabilities, CVE-2020-12812 and CVE-2019-5591, and have published a joint CISA/FBI report.
The NCSC’s advice to organisations remains to ensure that the latest security updates are installed as soon as possible for all vulnerabilities.
How can Sapphire support my organisation against this vulnerability?
Sapphire’s analysts are highly skilled and experienced security professionals.
Our analysts focus on threat intelligence and threat analysis, integrating the two disciplines to offer an expert response to security events.
With Sapphire customers benefit from quick responses to:
- complex security events
- identifying gaps and areas of concern
- reducing time to detect threats and threat dwell time
With a tech talent shortage, many organisations are finding a gap in their cybersecurity strategy that needs filling.