Security News > 2021 > April > Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks
"In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted," Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report.
One of those bugs, is CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to system's SSL VPN web portal and allows an unauthenticated attacker to download system files of targeted systems via a specially crafted HTTP resource requests.
In its report Kaspersky echoed the feds' warning adding attackers are first scanning connections to Fortinet VPNs to see if the software used on the device is the vulnerable version.
After gaining complete control, attackers download a cmd script to launch Cring ransomware, naming the malicious execution script "Kaspersky" to disguise it as a security solution, Kopeytsev said.
In its final step, Cring starts to encrypt files using strong encryption algorithms so victims can't decrypt files without knowing the RSA private key held by the attackers, Kopeytsev explained.
"The primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server, which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network," he wrote.
News URL
https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/
Related news
- Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks (source)
- Iranian Hacker Pleads Guilty in $19 Million Robbinhood Ransomware Attack on Baltimore (source)
- China-Linked Hackers Exploit SAP and SQL Server Flaws in Attacks Across Asia and Brazil (source)
- Critical Fortinet flaws now exploited in Qilin ransomware attacks (source)
- Old Fortinet flaws under attack with new method its patch didn't prevent (source)
- Kidney dialysis firm DaVita hit by weekend ransomware attack (source)
- Ahold Delhaize confirms data theft after INC ransomware claims attack (source)
- Interlock ransomware gang pushes fake IT tools in ClickFix attacks (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- Hackers abuse Zoom remote control feature for crypto-theft attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-06-04 | CVE-2018-13379 | Path Traversal vulnerability in Fortinet Fortios and Fortiproxy An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. | 9.8 |