[BreachExchange] Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks

[Destry Winant]

https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/

Industrial enterprises in Europe are target of campaign, which forced
a shutdown of industrial processes in at least one of its victims’
networks, according to researchers.

Threat actors are exploiting a Fortinet vulnerability flagged by the
feds last week that delivers a new ransomware strain, dubbed Cring,
that is targeting industrial enterprises across Europe.

Researchers say the attackers are exploiting an unpatched
path-reversal flaw, tracked as CVE-2018-13379, in Fortinet’s FortiOS.
The goal is to gain access to victims enterprise networks and
ultimately deliver ransomware, according to a report by Kaspersky
researchers published this week.

“In at least in one case, an attack of the ransomware resulted in a
temporary shutdown of the industrial process due to servers used to
control the industrial process becoming encrypted,” Kaspersky senior
security researcher Vyacheslav Kopeytsev wrote in the report.

Cring is relatively new to the ransomware threat landscape—which
already includes dominant strains REvil, Ryuk, Maze and Conti. Cring
was first observed and reported by the researcher who goes by Amigo_A
and Swisscom’s CSIRT team in January. The ransomware is unique in that
it uses two forms of encryption and destroys backup files in an effort
to antagonize victims and prevent them from retrieving backup files
without paying the ransom.

Last week, the FBI and the Cybersecurity and Infrastructure Security
Agency (CISA) warned that nation-state advanced persistent threat
(APT) groups were actively exploiting known security vulnerabilities
in the Fortinet FortiOS operating system, affecting the company’s SSL
VPN products.

One of those bugs, is CVE-2018-13379, a path-traversal flaw in
Fortinet FortiOS. The vulnerability is tied to system’s SSL VPN web
portal and allows an unauthenticated attacker to download system files
of targeted systems via a specially crafted HTTP resource requests.

In its report Kaspersky echoed the feds’ warning adding attackers are
first scanning connections to Fortinet VPNs to see if the software
used on the device is the vulnerable version. In the campaign
researchers observed, threat actors follow an exploit chain,
exploiting CVE-2018-13379 to launch a directory-traversal attack. The
goal is to crack open affected hardware, give adversaries access to
network credentials and to establish foothold in the targeted network,
Kopeytsev explained.

“A directory-traversal attack allows an attacker to access system
files on the Fortigate SSL VPN appliance,” he wrote. “Specifically, an
unauthenticated attacker can connect to the appliance through the
internet and remotely access the file ‘sslvpn_websession,’ which
contains the username and password stored in cleartext.”

For it’s part, “the security of our customers is our first priority,”
according to a statement from Fortinet provided to Threatpost. “For
example, CVE-2018-13379 is an old vulnerability resolved in May 2019.
Fortinet immediately issued a PSIRT advisory and communicated directly
with customers and via corporate blog posts on multiple occasions in
August 2019 and July 2020 strongly recommending an upgrade. Upon
resolution we have consistently communicated with customers as
recently as late as 2020. If customers have not done so, we urge them
to immediately implement the upgrade and mitigations.”

Anatomy of an Attack

Once gaining access to the first system on the enterprise network,
attackers use the Mimikatz utility to steal the account credentials of
Windows users who had previously logged in to the compromised system,
according to Kaspersky.

In this way, attackers compromised the domain administrator account,
and then used commodity tools like Cobalt Stroke backdoor and
Powershell to propagate attacks across various systems on the network,
according to the report.

After gaining complete control, attackers download a cmd script to
launch Cring ransomware, naming the malicious execution script
“Kaspersky” to disguise it as a security solution, Kopeytsev said.

The report breaks down how Cring achieves encryption and destroys
existing backup files once it’s launched on a system. First, the
ransomware stops various services of two key programs on the
network—Veritas NetBackup and Microsoft SQL server.

Cring also halts the SstpSvc service, which is used to create VPN
connections, which researchers surmised was to block any remediation
effort by system administrators, Kopeytsev said.

“It is most likely that the attackers, who at this stage controlled
the infected system via Cobalt Strike, did this to make it impossible
to connect to the infected system remotely via VPN,” he wrote. “This
was done to prevent system administrators from providing a timely
response to the information security incident.”

Cring proceeds by terminating other application processes in Microsoft
Office and Oracle Database software to facilitate encryption as well
as the removal of key backup files to prevent recovery of files,
according to the report.

In its final step, Cring starts to encrypt files using strong
encryption algorithms so victims can’t decrypt files without knowing
the RSA private key held by the attackers, Kopeytsev explained. First
each file is encrypted using an AES encryption key and then that key
is in turn encrypted using a 8,192-bit RSA public key hard-coded into
the malicious program’s executable file, he wrote.

Once encryption is complete, the malware drops a ransom note from
attackers asking for two bitcoins (currently the equivalent of about
$114,000) in exchange for the encryption key.

Learning from Mistakes

The report points out key mistakes made by network administrators in
the attack observed by Kaspersky researchers in the hopes that other
organizations can learn from them. First the attack highlights once
again the importance of keeping systems updated with the latest
patches, which could have avoided the incident altogether, Kopeytsev
said.

“The primary causes of the incident include the use of an outdated and
vulnerable firmware version on the Fortigate VPN server (version 6.0.2
was used at the time of the attack), which enabled the attackers to
exploit the CVE-2018-13379 vulnerability and gain access to the
enterprise network,” he wrote.

System administrators also left themselves open to attack by not only
running an antivirus (AV) system that was outdated, but also by
disabling some components of AV that further reduced the level of
protection, according to the report.

Key errors in configuring privileges for domain policies and the
parameteres of RDP access also came into play in the attack, basically
giving attackers free rein once they entered the network, Kopeytsev
observed.

“There were no restrictions on access to different systems,” he wrote.
“In other words, all users were allowed to access all systems. Such
settings help attackers to distribute malware on the enterprise
network much more quickly, since successfully compromising just one
user account provides them with access to numerous systems.”