Security News > 2021 > April > Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets
Unpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called "Cring" inside corporate networks.
"Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage," said Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT. The disclosure comes days after the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency warned of advanced persistent threat actors actively scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379, among others.
CVE-2018-13379 concerns a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.
The attacks aimed at European businesses were no different, according to Kaspersky's incident response, which found that the deployment of Cring ransomware involved the exploitation of CVE-2018-13379 to gain access to the target networks.
"Some time prior to the main phase of the operation, the attackers performed test connections to the VPN Gateway, apparently in order to make sure that the stolen user credentials for the VPN were still valid," Kaspersky researchers said.
"An analysis of the attackers' activity demonstrates that, based on the results of the reconnaissance performed on the attacked organization's network, they chose to encrypt those servers which the attackers believed would cause the greatest damage to the enterprise's operations if lost," Kopeytsev said.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/beu4xIOf1T8/hackers-exploit-unpatched-vpns-to.html
Related news
- Blind Eagle Hackers Exploit Spear-Phishing to Deploy RATs in Latin America (source)
- Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor (source)
- Hackers use PHP exploit to backdoor Windows systems with new malware (source)
- Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control (source)
- New Qilin Ransomware Attack Uses VPN Credentials, Steals Chrome Data (source)
- BlackByte Ransomware Exploits VMware ESXi Flaw in Latest Attack Wave (source)
- Pioneer Kitten: Iranian hackers partnering with ransomware affiliates (source)
- Iranian hackers work with ransomware gangs to extort breached orgs (source)
- US offers $2.5 million reward for hacker linked to Angler Exploit Kit (source)
- Russian APT29 hackers use iOS, Chrome exploits created by spyware vendors (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-06-04 | CVE-2018-13379 | Path Traversal vulnerability in Fortinet Fortios and Fortiproxy An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. | 9.8 |