At the starting of this year, a collection of attacks was launched utilizing this new ransomware and at the time, it was unclear how the attackers dependable have been able to infect the community of an unspecified business in Europe. On the other hand, following an investigation carried out by Kapsersky ICS CERT experts, it was exposed that unpatched VPN vulnerabilities were being to blame.
Back in 2019, the CVE-2018-13379 vulnerability in Fortigate VPN servers became commonly regarded. Though the challenge was resolved and patched by the enterprise, some businesses did not update their VPN servers. In truth, so a lot of organizations unsuccessful to do so that prepared-designed lists that contains the IP addresses of susceptible servers and internet-experiencing units commenced appearing on dark world wide web boards last slide.
We are wanting at how our readers use VPN for a forthcoming in-depth report. We would like to listen to your feelings in the survey beneath. It is not going to consider far more than 60 seconds of your time.
With these IP addresses in hand, cybercriminals are able to connect to a vulnerable VPN server remotely and access the session file which contains usernames and passwords stored in clear text.
According to Kaspersky’s investigation, attackers are exploiting the CVE-2018-13379 vulnerability in Fortigate VPN servers to gain access to enterprise networks and infect organizations with the Cring ransomware.
In a press release, security expert at Kaspersky Vyacheslav Kopeytsev provided further insight on the attack that occurred at the beginning of this year, saying:
“Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage. For example, the host server for the malware from which the Cring ransomware was downloaded had infiltration by IP address enabled and only responded to requests from several European countries. The attackers’ scripts disguised the activity of the malware as an operation by the enterprise’s antivirus solution and terminated the processes carried out by database servers (Microsoft SQL Server) and backup systems (Veeam) that were used on systems selected for encryption.”
The ICS CERT experts at Kaspersky believe that the lack of timely database updates for the affected organization’s security solution also played a key role as this prevented it from detecting and blocking the threat. Additionally, some components of their antivirus solution were disabled and this left them more vulnerable.
To protect networks and devices from the Cring ransomware, Kaspersky recommends that organizations keep their VPN Gateway firmware updated to the latest version, keep endpoint protection solutions and databases updated to the latest versions, restrict VPN access between facilities and close all ports that are not required.