Security News > 2021 > April > New Cring ransomware hits unpatched Fortinet VPN devices
A vulnerability impacting Fortinet VPNs is being exploited by a new human-operated ransomware strain known as Cring to breach and encrypt industrial sector companies' networks.
The Cring operators drop customized Mimikatz samples, followed by CobaltStrike after gaining initial access and deploy the ransomware payloads by downloading using the legitimate Windows CertUtil certificate manager to bypass security software.
As Kaspersky researchers revealed in a report published today, the attackers exploit Internet-exposed Fortigate SSL VPN servers unpatched against the CVE-2018-13379 vulnerability, which allows them to breach their targets' network.
From the Fortinet VPN appliance, Cring operators move laterally on the targets' enterprise network stealing Windows user credentials using Mimikatz to gain control of the domain administrator account.
The ransomware payloads are then delivered to devices on the victims' networks using the Cobalt Strike threat emulation framework deployed using a malicious PowerShell script.
The ransomware encrypts only specific files on the compromised devices using strong encryption algorithms after removing backup files and killing Microsoft Office and Oracle Database processes.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-06-04 | CVE-2018-13379 | Path Traversal vulnerability in Fortinet Fortios and Fortiproxy An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. | 9.8 |