Cring Ransomware Fortinet Attack Threat Intel Advisory

Published 24 May 2021


  • Operators of Cring ransomware target multiple organizations and exploit vulnerable FortiGate servers
  • It steals information from Windows users connected to the infected device

Share this Threat Intel:

Advisory Type
Adversary Intelligence
Malware Name
Cring, Crypt3r, Vjiszy1lo, Ghost, Phantom
Malware Type
Ransomware
Tools Used
MimiKatz, CobaltStrike
Target Platform
Fortinet VPN devices
Affected Industries
Industrial Sectors

Executive Summary

Threat operators of Cring ransomware have been targeting multiple organizations in the industrial sector, by exploiting vulnerable FortiGate Severs. The vulnerability, dubbed CVE-2018-13379, is a path traversal flaw in the FortiOS SSL VPN portals, that allows attackers to obtain domain administrator credentials with the help of Mimikatz malware. It steals information from Windows users connected to the infected device, and then deploys the CobaltStrike beacon to download and execute Cring ransomware.

Technical Details

  • Once the attackers were able to detect servers that were affected by CVE-2018-13379, they located the sslvpn_websession file and used it to obtain login credentials in cleartext.
  • Attackers used Mimikatz to steal the credentials of other Windows users that had connected to the infected device at some point in the past, and found the domain administrator credentials. 
  • Then, they deployed a malicious PowerShell to decrypt and execute CobaltStrike beacon so as to control the infected systems remotely.
  • The attackers continued to download and execute a malicious CMD script that launched another malicious PowerShell command which, in turn, downloaded and executed the Cring ransomware. 

Targeted CVEs:

  • CVE-2018-13379
    • FortiOS versions 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 are vulnerable to this flaw.
  • CVE-2020-12812
  • CVE-2019-5591

Impact

Technical Impact
  • Exploiting the CVEs in the FortiOS SSL VPN portals targeted by threat actors allow them to download and execute other variants of malware furthering other forms of attacks on the infected system.
  • It could also gain control of the infected system to act as a Bot and launch more attacks.
Business Impact
  • This ransomware attack could cause businesses to shut down.
  • It could also affect the reputation of the victim company.
  • The attackers gain full access to infected systems which may contain the sensitive information of individuals and organizations alike, leading to the violation of their privacy.

Mitigation Measures

  • Get the latest updates and patches for the software in use.
  • Use up-to-date AV, prevention and detection endpoints.
  • Maintain cyber hygiene and awareness.
  • Always encrypt passwords before storing them in databases.
  • Use 2FA for all login sessions.

Tactics, Techniques, and Procedures of the Attack

Tactics
Techniques
Reconnaissance
T1592.002 Gather Victim Host Information: Software
T1589.001 Gather Victim Identity Information:Credentials
T1590.006 Gather Victim Network Information: Network Security Appliances
T1590.005 Gather Victim Network Information: IP Addresses
Resource Development
T1588.005 Obtain Capabilities: Exploits
T1588.001 Obtain Capabilities: Malware
T1588.002 Obtain Capabilities: Tool
T1588.006 Obtain Capabilities: Vulnerabilities
T1608.001 Stage Capabilities: Upload Malware
T1608.002 Stage Capabilities: Upload Tool
Initial Access
T1133 External Remote Services
Execution
T1059 Command and Scripting Interpreter
T1047 Windows Management Instrumentation
Persistence
T1133 External Remote Services
Defense Evasion
T1140 Deobfuscate/Decode Files or Information
T1036.004 Masquerading: Masquerade Task or Service
Credential Access
T1555 Credentials from Password Stores
T1003.005 OS Credential Dumping: Cached Domain Credentials
T1552 Unsecured Credentials
Discovery
T1087.002 Account Discovery: Domain Account
Lateral Movement
T1021 Remote Services

 

Indicators of Compromise

CVE
CVE-2018-13379
CVE-2019-5591
CVE-2020-12812
URL
http://45.67.231.128/ip.txt.
http://1.0.0.0
IPv4
45.67.231.128
198.12.112.204
129.227.156.216
129.227.156.214
SHA256
f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8
c9ee7ea65579c3ac956ba95f4e5aded709369ffad4c79b37328fb97f82dd817a
21c04b9ed17c4f831b64a659bc530502f6931865cf7ad1db45b78629ec809e7e
MD5
c5d712f82d5d37bb284acd4468ab3533
44d5c28b36807c69104969f5fed6f63f
317098d8e21fa4e52c1162fb24ba10ae
f34d5f2d4577ed6d9ceec516c1f5a744
d8415a528df5eefcb3ed6f1a79746f40
8d1650e5e02cd1934d21ce57f6f1af34
8d156725c6ce172b59a8d3c92434c352
38217fa569df8f93434959c1c798b29d
FilePath
%temp%\execute.bat
C:\__output

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.