Security News > 2021 > April > Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets
Unpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called "Cring" inside corporate networks.
"Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage," said Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT. The disclosure comes days after the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency warned of advanced persistent threat actors actively scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379, among others.
CVE-2018-13379 concerns a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.
The attacks aimed at European businesses were no different, according to Kaspersky's incident response, which found that the deployment of Cring ransomware involved the exploitation of CVE-2018-13379 to gain access to the target networks.
"Some time prior to the main phase of the operation, the attackers performed test connections to the VPN Gateway, apparently in order to make sure that the stolen user credentials for the VPN were still valid," Kaspersky researchers said.
"An analysis of the attackers' activity demonstrates that, based on the results of the reconnaissance performed on the attacked organization's network, they chose to encrypt those servers which the attackers believed would cause the greatest damage to the enterprise's operations if lost," Kopeytsev said.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/beu4xIOf1T8/hackers-exploit-unpatched-vpns-to.html
Related news
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Helldown ransomware exploits Zyxel VPN flaw to breach networks (source)
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials (source)
- Hackers exploit Roundcube webmail flaw to steal email, credentials (source)
- Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- Fog ransomware targets SonicWall VPNs to breach corporate networks (source)
- North Korean govt hackers linked to Play ransomware attack (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-06-04 | CVE-2018-13379 | Path Traversal vulnerability in Fortinet Fortios and Fortiproxy An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. | 9.8 |