Ransomware operators have shut down two production facilities of a European manufacturer after implementing a relatively new kind that encrypted servers that control a manufacturer’s industrial processes, a Kaspersky Lab researcher said Wednesday.
The ransomware, known as Cring, came to public attention in a blog post in January. It seizes networks by exploiting long-patched vulnerabilities in VPNs sold by Fortinet. Maintained as CVE-2018-13379, the cross-sectional vulnerability of the directory allows unauthenticated attackers to obtain a session file containing the username and human-readable password for the VPN.
With a first hand, a live Cring operator conducts reconnaissance and uses a modified version of the Mimikatz tool in an attempt to extract domain administrator credentials stored in server memory. Ultimately, the attackers use the Cobalt Strike framework to install Cring. To mask the ongoing attack, the hackers disguise the installation files as security software from Kaspersky Lab or other providers.
Once installed, the ransomware locks data using 256-bit AES encryption and encrypts the key with an RSA-8192 public key that is hard-coded in the ransomware. A left note demands two bitcoins in exchange for the AES key that unlocks the data.
More value for money
In the first quarter of this year, Cring infected an unnamed manufacturer in Germany, Vyacheslav Kopeytsev, a member of Kaspersky Lab’s ICS CERT team in an email. The infection spread to a server that hosts databases needed by the manufacturer’s production line. As a result, processes were temporarily shut down in two Italy-based facilities operated by the manufacturer. Kaspersky Lab thinks the shutdowns lasted two days.
“Several details of the attack indicate that the attackers carefully analyzed the attacked organization’s infrastructure and prepared their own infrastructure and toolset based on the information gathered during the reconnaissance phase,” Kopeytsev wrote in a blog post. He continued: “An analysis of the attackers’ activity shows that, based on the results of reconnaissance conducted on the attacked organization’s network, they chose to encrypt those servers that the attackers believed would cause the greatest damage. to the business.”
Incident responders eventually recovered most, but not all, encrypted data from backups. The victim did not pay ransom. There are no reports of infections causing damage or unsafe conditions.
Wise advice not followed
In 2019, researchers observed that hackers were actively trying to exploit the critical FortiGate VPN vulnerability. There were about 480,000 devices connected to the internet at the time. Last week, the FBI and Cybersecurity and Infrastructure Security Agency said CVE-2018-13379 was one of several FortiGate VPN vulnerabilities likely to be actively exploited for use in future attacks.
Fortinet said in November it had detected a “large number” of VPN devices that had not been patched against CVE-2018-13379. The advisory also said company officials were aware of reports that those systems’ IP addresses were being sold in underground criminal forums or that people were running Internet-wide scans to find unpatched systems on their own.
In a statement released Thursday, Fortinet officials wrote:
The safety of our customers is our number one priority. For example, CVE-2018-13379 is an old vulnerability that was fixed in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020 and again in April 2021, strongly recommending an upgrade. After a resolution, we communicated consistently with customers until April 2021. For more information, please visit our blog and immediately consult the May 2019 advisory. If customers have not done so, we urge them to implement the upgrade and measures immediately.
In addition to not installing updates, Kopeytsev said the Germany-based manufacturer also failed to install antivirus updates and restrict access to sensitive systems to only selected employees.
It is not the first time that a production process has been disrupted by malware. In 2019 and last year, Honda stopped production after being infected with the WannaCry ransomware and an unknown piece of malware. One of the world’s largest aluminum producers, Norway’s Norsk Hydro, was hit in 2019 by a ransomware attack that shut down its global network, shut down or disrupted factories and scrambled IT workers to return operations to normal.
Patching and reconfiguring devices in industrial environments can be extremely costly and difficult, as many of these devices must be used constantly to maintain profitability and stay on track. Shutting down an assembly line to install and test a security update or make changes to a network can result in non-trivial costs in the field. Of course, letting ransomware operators shut down an industrial process themselves is an even more dire scenario.
Post updated to add statement from Fortinet.