Cring Ransomware Attacks Exploited Fortinet Flaw

 

Ransomware operators shut down two production facilities having a place with a European manufacturer in the wake of conveying a relatively new strain that encrypted servers that control a manufacturer's industrial processes, a researcher from Kaspersky Lab said on Wednesday. Threat actors are abusing a Fortinet vulnerability flagged by the feds a week ago that conveys a new ransomware strain, named Cring, that is targeting industrial enterprises across Europe. 

Researchers say the attackers are misusing an unpatched path-reversal flaw, followed as CVE-2018-13379, in Fortinet's FortiOS. The objective is to access the victim's enterprise networks and eventually convey ransomware, as indicated by a report by Kaspersky Lab. “In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. 

Cring is relatively new to the ransomware threat scene—which as of now incorporates prevailing strains REvil, Ryuk, Maze, and Conti. Cring was first noticed and revealed by the analyst who goes by Amigo_A and Swisscom's CSIRT team in January. The ransomware is one of a kind in that it utilizes two types of encryption and annihilates backup files to threaten victims and keep them from retrieving backup files without paying the ransom. A week ago, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) cautioned that nation-state advanced persistent threat (APT) groups were effectively abusing known security vulnerabilities in the Fortinet FortiOS operating system, influencing the organization's SSL VPN items. 

In its report, Kaspersky echoed the feds cautioning adding attackers are first scanning connections with Fortinet VPNs to check whether the software utilized on the gadget is the vulnerable version. The objective is to crack open affected hardware, give adversaries admittance to network credentials, and build up traction in the targeted network, Kopeytsev clarified. “A directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,” he wrote. “Specifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file ‘sslvpn_websession,’ which contains the username and password stored in cleartext.”