Get in Touch Close Menu


22 April 2021

In April, Sapphire threat intelligence resources identified a sophisticated ransomware campaign utilising the Cring malware and leveraging vulnerability (CVE-2018-13379), identified in 2019 affecting Fortinet VPN Servers. This allows a threat actor to connect to the VPN appliance with no authentication and download session files containing usernames and passwords in clear text. Though this vulnerability has had a patch available since it was discovered, a list of known public-facing devices that were still vulnerable began to circulate around dark web forums in late 2020. The primary target of these attacks has been industrial enterprises located throughout Europe, with at least one resulting in the temporary closure of a production site.

Cring was first identified by Swisscom CSIRT in January 2021, but they were unable to conclusively determine how the ransomware was being distributed nor its pathology. After an investigation was performed on-site, the Fortinet vulnerability was identified as the initial point of entry.

The level of premeditation, planning and patience involved is indicative of APT activity in association with this campaign. Once the public facing device list had been acquired, a prolonged period of reconnaissance was performed, including testing the connection to the VPN servers to ensure credentials were still valid. After they had accessed the target system, ‘mimikatz’ was deployed to scrape administrator credentials. After achieving this goal, lateral movement within the system is possible and chances of detection by traditional IDS and AV becomes limited, as obfuscation and avoidance of security measures can now take place at will.

Finally, the Cring command & control server is contacted, downloading the ransomware and triggering it within the environment. From this point the operation behaves like a normal ransomware campaign a ‘*.readme’ file is available to the victim allowing for contact to be made and payment delivered to the attacker.

Industrial enterprises are often tempting targets for threat actors as IT infrastructure, especially security is generally given less importance than the safety, reliability and production capacities within these environments. Due to these constraints, prevention through best practice and regular patching are the most effective methods of protecting industrial sites from attackers without compromising functionality.

This recent Cring campaign is an example of how failing to perform these actions can ultimately lead to significant threats and potential downtime. Sapphire recommends implementing the following to minimise risk without impacting business.

  • Software and firmware of any VPN gateways should be updated to the latest version
  • Endpoint security solutions should be updated to the latest versions, with all recommended modules enabled
  • Enforce organisation-wide RBAC policies and procedures
  • Restrict VPN access between facilities and limit open ports to only those needed
  • Store backups on a secure dedicated server
  • Regularly test backup are working as expected
  • Adopting Endpoint Detect and Response (EDR) and SIEM security solutions in both your IT and OT networks offers additional layers of protection and enables a proactive approach to cyber threats.

About the Author
Sapphire’s SOC team produced this article. Sapphire’s analysts are highly skilled and experienced security professionals. Our analysts focus on threat intelligence and threat analysis, integrating the two disciplines to offer an expert response to security events. This approach means that customers benefit from quick responses to complex security events, identifying gaps and areas of concern, reducing time to detect threats and threat dwell time.

Related Articles

What is Network Detection and Response (NDR)?
17 September 2021

Used by organisations to detect and prevent malicious activity in an organisation, Network Detection and Response describes a category of security solutions that are used to investigate and mitigate the risk of attackers. It is a progressive security solution providing a centralised machine-based analysis of network traffic and response solutions.

NDR solutions provide a single solution for visibility across on-prem, remote, and cloud environments.

Find Out More
What is CREST Penetration Testing? 
13 September 2021

How can you ensure you have outsourced your penetration testing requirements to the right provider? 

Find Out More
What Does SIEM Stand for and How Does it Help your Business? | Sapphire
23 August 2021

SIEM (Security Information and Event Management) is one of many approaches to security management. It combines SIM (Security Information Management) and SEM (Security Event Management) to aggregate data from a variety of sources as well as identify any deviations and act against them.  

Find Out More