Cring Ransomware Targets Industrial Facilities via VPN Server Vulnerability

In early 2021, cybercriminals launched a series of attacks using the Cring ransomware. While researchers at Swisscom CSIRT had previously mentioned these incidents, the exact method by which the ransomware infiltrated organizational networks was unclear. An investigation by Kaspersky ICS CERT at one of the affected enterprises revealed that the attackers exploited a vulnerability in Fortigate VPN servers.

Industrial companies in several European countries were among the victims. In at least one case, a ransomware attack led to a temporary shutdown of production at two Italian plants belonging to an international industrial holding company headquartered in Germany.

Exploiting the Fortigate VPN Vulnerability

During these attacks, the criminals exploited the CVE-2018-13379 vulnerability in Fortigate VPN servers to gain initial access to the enterprise network. This vulnerability allows an unauthenticated attacker to connect to the device and remotely access a session file containing usernames and passwords in plain text. Although the manufacturer released a fix in 2019, not all organizations have applied the update. In the fall of 2020, offers to purchase databases of IP addresses of vulnerable devices began appearing on the dark web.

Attack Progression and Techniques

The investigation found that, some time before the main phase of the attack, the criminals performed test connections to the VPN gateway—likely to ensure that the authentication data stolen from the VPN server was still valid. On the day of the attack, after gaining access to the first system in the corporate network, the Cring operators used Mimikatz to steal Windows user accounts that had previously logged into the compromised computer. This allowed the attackers to immediately obtain the domain administrator’s credentials.

After a brief reconnaissance, the attackers selected several systems they deemed critical to the industrial enterprise’s operations and promptly uploaded and launched the Cring ransomware on them.

Targeted and Sophisticated Attacks

“Various details of the attack indicate that the criminals thoroughly studied the targeted organization’s infrastructure and prepared their toolkit based on information gathered during the reconnaissance phase. For example, the attackers’ scripts disguised the malware’s activity as the legitimate security solution used at the enterprise and terminated processes of database servers (Microsoft SQL Server) and backup systems (Veeam) on the systems chosen for encryption. Analysis of the attackers’ actions shows that, after studying the network, they selected servers for encryption whose loss of access, in their opinion, would cause maximum damage to the enterprise’s operations,” commented Vyacheslav Kopeytsev, Senior Expert at Kaspersky ICS CERT.