New Cring Ransomware Deployed via Unpatched Fortinet VPNs


Thread author
Staff member
Malware Hunter
Jul 27, 2015
Unpatched Fortinet VPN devices are being hacked to deploy a new strain of ransomware inside corporate networks, Russian security firm Kaspersky said today.

“Victims of these attacks include industrial enterprises in European countries,” Kaspersky senior security researcher Vyacheslav Kopeytsev said in a report today. “At least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kopeytsev said, but without revealing the victim’s name.
The Kaspersky report published today sheds some light on how these attacks take place, and, according to Kopeytsev, Cring is the latest “human-operated ransomware strain.” What this means is that infections with Cring usually happen after attackers orchestrate intrusions into corporate networks, expand their access to as many systems as possible, and only then run the ransomware during a hands-on-keyboard intrusion. In Cring’s case, the initial intrusion vector appears to be Fortinet devices that haven’t been patched for the CVE-2018-13379 vulnerability.

According to Kaspersky, the intruders used exploits for this bug to access the VPN device, after which they used the Mimikatz open-source tool to dump credentials of Windows users who had previously logged in to the compromised VPN. The attackers then used the credentials to connect to internal workstations on the victim’s internal network, where they used PowerShell scripts and the Cobalt Strike intrusion simulation framework to escalate access to even more internal systems, after which, as a last step, downloaded the Cring ransomware on each system, and proceeded to encrypt local files.