Security News > 2021 > April > Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets

Unpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called "Cring" inside corporate networks.

"Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage," said Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT. The disclosure comes days after the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency warned of advanced persistent threat actors actively scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379, among others.

CVE-2018-13379 concerns a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.

The attacks aimed at European businesses were no different, according to Kaspersky's incident response, which found that the deployment of Cring ransomware involved the exploitation of CVE-2018-13379 to gain access to the target networks.

"Some time prior to the main phase of the operation, the attackers performed test connections to the VPN Gateway, apparently in order to make sure that the stolen user credentials for the VPN were still valid," Kaspersky researchers said.

"An analysis of the attackers' activity demonstrates that, based on the results of the reconnaissance performed on the attacked organization's network, they chose to encrypt those servers which the attackers believed would cause the greatest damage to the enterprise's operations if lost," Kopeytsev said.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/beu4xIOf1T8/hackers-exploit-unpatched-vpns-to.html