Security News > 2021 > April > Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks
"In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted," Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report.
One of those bugs, is CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to system's SSL VPN web portal and allows an unauthenticated attacker to download system files of targeted systems via a specially crafted HTTP resource requests.
In its report Kaspersky echoed the feds' warning adding attackers are first scanning connections to Fortinet VPNs to see if the software used on the device is the vulnerable version.
After gaining complete control, attackers download a cmd script to launch Cring ransomware, naming the malicious execution script "Kaspersky" to disguise it as a security solution, Kopeytsev said.
In its final step, Cring starts to encrypt files using strong encryption algorithms so victims can't decrypt files without knowing the RSA private key held by the attackers, Kopeytsev explained.
"The primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server, which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network," he wrote.
News URL
https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/
Related news
- BlackByte Ransomware Exploits VMware ESXi Flaw in Latest Attack Wave (source)
- Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks (source)
- CISA warns of Jenkins RCE bug exploited in ransomware attacks (source)
- Cybercriminals exploit file sharing services to advance phishing attacks (source)
- CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks (source)
- Blind Eagle Hackers Exploit Spear-Phishing to Deploy RATs in Latin America (source)
- Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor (source)
- Most Ransomware Attacks Occur When Security Staff Are Asleep, Study Finds (source)
- Hackers use PHP exploit to backdoor Windows systems with new malware (source)
- Most ransomware attacks occur between 1 a.m. and 5 a.m. (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-06-04 | CVE-2018-13379 | Path Traversal vulnerability in Fortinet Fortios and Fortiproxy An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. | 9.8 |