CRING to the attack on the VPN servers of some European companies

The news of the Cring attack , a ransomware that affects some VPN servers , continuing to claim victims in several European production companies, dates back to last week. In another article we had already talked about what this type of malware did and how widespread it is. Cring relies on the now knownCVE-2018-13379 vulnerability of some Fortigate VPN servers but which seems not to have received the patch in all companies affected by the problem.

The origin of the attack

Cring ransomware was first identified in January of this year by a team of Kaspersky researchers. However, the vulnerability was already known in 2019 and in the same year it was made known to the community. Fortinet, for its part, had been involved in promoting two information campaigns with the aim of updating the servers of customers susceptible to attack. Nevertheless, it would seem that after two years, several servers distributed in European companies still have outdated systems.

Cring, once inside the corporate network, is able to encrypt all data with a double-pass technique and requesting about $ 115,000 in ransom.

The CVE-2018-13379 vulnerability allows you to operate a path traversal within Fortigate systems . A path traversal is a type of attack that allows access to typically unreachable areas of the operating system. In fact, a web server usually hosts files exposed to the network in a subfolder within the operating system's file system. This attack is able, through ad hoc packages, to send HTTP requests that evade the divisions into folders provided. This way they go back from the current working folder to the root, resulting in full access to all data on the system.

As reported by the researchers , the attacker is able to access the system unauthenticated over the Internet and retrieve files containing confidential access information. At this point, thanks to a number of additional tools such as Mimikatz and the Cobalt Stroke backdoor, the ransomware first recovers all relevant information contained in the system and then begins its real attack by encrypting the memory units.

What happens after Cring's attack on VPN servers

Cring i n reality is particularly complex because it uses a double encryption mode . It first performs a pass encrypting the data with an AES key and then encrypts it again with an 8192-bit RSA. In addition, before starting the "dirty work", the ransomware also takes care of terminating any other services that take care of keeping the backup files updated.

Once the encryption is complete, the systems will be completely unusable and victims will receive a ransom note equivalent to approximately $ 115,000. However, as we have said at other times, it is not always said that the encryption key used is granted to us by the attackers once the ransom has been paid, indeed it is more likely that we will only lose money.

The presence of a poorly thought-out network architecture can allow the uncontrolled spread of Cring which will encrypt all systems connected to the VPN server.

Naturally, since the servers are unusable, the VPN's functions will fail and in some cases there have been malfunctions in the company's production system. In fact, if the network architecture is not well thought out, the production systems could be directly accessed from different points of the corporate network.

How to protect ourselves from Cring

While our systems are not directly the target of this malware, we can still learn some important lessons. The first is the need to update the operating systems: in fact, regularly making the updates released by the manufacturer can save our lives on several occasions . In fact, the attacked companies had all their VPN servers not updated with the latest patch released. Consequently, even the antivirus software, not having the definition of the latest signatures, was not able to promptly detect the Cring infection.

The second important aspect is the need to keep systems isolated from each other and guarantee access only to users who really need it . In fact, in many of Cring's attacks, the damage was substantial because there were no security policies in place that prevented unauthorized users from accessing other parts of the corporate network. In simple terms, each user was able to access the different systems within the company: it is like being in a bank vault and having the keys to access all the safety deposit boxes!

Having access control policies can be difficult in the early stages but offers significant advantages in managing security within the company. Furthermore, it would have guaranteed to limit Cring's damage to VPN servers only without affecting the rest of the environments with disastrous consequences for the business.

In conclusion, security once again gives us lessons in simplicity, so banal that they seem difficult to achieve. Yet it is enough to commit and follow these basic rules to stay safe and protect us from bad guys.

The article CRING on the attack on the VPN servers of some European companies comes from Tech CuE | Close-up Engineering .