Recent research conducted by cybersecurity experts at Kaspersky has shown how hackers managed to access and compromise an entire network by using a new form of ransomware.
The detailed report by Kaspersky proves that hackers are taking advantage of certain security vulnerabilities found in VPN servers. Using these weaknesses, they are encrypting networks with Cring ransomware, and attempting to disrupt operations at industrial facilities.
The Cring report
The newly discovered ransomware is broken down in a comprehensive advisory issued by the Russian multinational security firm Kaspersky lab, after it investigated a targeted ransomware attack on an unnamed victim’s facilities based in Europe.
Out of the multiple assaults leveraged at the undisclosed organisation, one is known to have managed to fully encrypt a facility’s industrial control servers, infecting them with ransomware, and others may have been successful too. This resulted in a brief shutdown of the facility’s operations.
Kaspersky is unable to identify the targeted victim, the outcome of the attack, or even how the situation was resolved. However, to support the cybersecurity community, it has detailed the crypto malware used to encrypt the network and explained how hackers managed to obtain access.
How hackers are using Cring
Cring is a dedicated ransomware initially appeared back in January. Cring attacks involve exploiting a vulnerability, tracked as CVE-2018-13379, found in Fortigate VPN servers. A security patch was issued by Fortinet to resolve this weakness, but cybercriminals are still able to use the exploit against any company networks slow install the update.
Exploiting vulnerable VPN applications, hackers are then able to access usernames and passwords remotely, enabling them to login to networks manually. Once in, the threat operators can download Mimikatz, the open-source app that enables authentication credentials to be viewed and saved. This is then employed to steal further passwords and usernames, allowing the attackers to move laterally across the system. It also empowers them to deploy additional software of their choosing, like the legitimate penetration tool Cobalt Strike, which hackers use to obtain greater control over the systems they infect.
From this point, the attackers use PowerShell scripts to help them encrypt systems compromised by the Cring ransomware. With all crucial data files and systems captured and users locked out, hackers will release a ransom note urging the victim to pay a fee for the safe return of their network. Payments are then requested in the tough-to-trace bitcoin currency.
Senior security researcher for Kasperky, Vyacheslav Kopeytsev, commented:
“There were no restrictions on access to different systems. In other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems.”
The recent attacks highlight the need for firms to limit access rights and take a regimented approach to updates. These essential upgrades will often contain crucial security patches that fix the known vulnerabilities hackers are only too quick to exploit. Cybercriminals rely on this sloppy attitude to updates to launch successful attacks that can earn them hundreds of thousands of pounds.