In the early months of 2021, cybercriminals believed to be manually delivering Cring ransomware, struck a series of European industrial networks. Kaspersky is the first to report how those attacks were accomplished: a vulnerability in Fortinet's FortiGate VPN.
According to Kaspersky, one client's infection was severe enough to cause a "temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted."
The ransomware operators used a FortiOS vulnerability originally patched in 2019, CVE-2018-13379, which allows an attacker to access the username and password in cleartext. The operators scanned systems for vulnerable installations a few days prior to breaching the system, though it is unclear if that was how they initially discovered targets. Kaspersky notes a hacker forum post in 2020 offering to purchase a database of vulnerable Fortinet VPN clients.
From there, the Cring attackers launched Power Shell under the name "kaspersky" and loaded Cobalt Strike.
The Cring campaign was geofenced; a command and control server involved in the attacks only responded to requests from European systems. The attackers appear to have hand-selected which servers to encrypt to cause the most damage.
In a statement released to reporters, Fortinet urged its users to "immediately" mitigate or patch vulnerable installations, noting that the company had patched and repeatedly warned consumers about the vulnerability used in this case.
“The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers as recently as April 2021," read the statement.
Kaspersky lists indicators of compromise in their post.
Last week, the FBI and DHS alerted businesses that advanced persistent threat groups were targeting CVE-2018-13379 and two other FortiOS vulnerabilities in active attacks. There is no current data connecting the Cring installations to an APT group.