Andrew Brandt, principal researcher at SophosLabs, said the recent findings — no time element was given — had shown that Adobe ColdFusion 9 — which is 11 years old — and Windows Server 2008 — which was declared end-of-life for the Web-application development platform in 2016 — were running on the server that served as an entry point. Sophos has since clarified that the findings were made in August this year.
Several other machines were also hit with the same ransomware and made inaccessible, but the box running ColdFusion was partially recoverable and artefacts from this machine were used in the research.
Brandt said the attackers had entered from an IP address allocated to the Ukrainian ISP Green Floid and begun a scan. After ascertaining that an old version of ColdFusion was present, the attackers had then used a directory traversal vulnerability [CVE-2010-2861] to extract the file password.properties from the server.
About two-and-half days later, the attackers returned before midnight on the weekend and dropped a number of files on the server, before creating a scheduled task that used the Windows Script Host to execute files based on a set of parameters.
A second Web shell was then placed in a second ColdFusion directory and used to export a number of Registry hives which could be used to harvest data at leisure.
The ransom note issued by the Cring ransomware. Courtesy Sophis
About five hours after this was completed, the attackers used the Windows Management Instrumentation command-line utility to invoke PowerShell and download files from a server whose IP geolocates to Belarus. They also created a user account with admin privileges.
The next step in the attack was to run commands that profiled the system, obtain DomainAdmin privileges and then explore other servers using those credentials. The attackers also dropped
the Cobalt Strike beacon on other machines.
These actions were blocked by HitmanPro, a portable anti-malware program, whereupon the attackers started targeting Sophos endpoint protection which was blocking the effort to load the beacon.
But the attackers then used the Web shell they had loaded to disable both the Sophos endpoint protection and Windows Defender. Several VMs were then detected on the server and these were shut down.
The ransomware was spread as a last action. "Finally, at about 79 hours after the initial breach of the ColdFusion server, the attacker delivered a ransomware executable named msp.exe, encrypting the system and the folders containing the virtual machine disk images," said Brandt.
"The attackers deleted the Volume Shadow Copies, cleared the Event Logs afterward, re-enabled the Sophos security products they had previously disabled."
Brandt also credited senior rapid response analyst Vikas Singh and analysts Shefali Gupta, Krisztián Diriczi, and Chaitanya Ghorpade for their roles in the research.
"Devices running vulnerable, outdated software are low-hanging-fruit for cyber attackers looking for an easy way into a target," said Brandt. "Cring ransomware isn't new, but it's uncommon.
"In the incident we researched, the target was a services company, and all it took to break in was one Internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades.
"But, regardless of what the status is – in use or inactive – unpatched Internet-facing servers or other devices are prime targets for cyber attackers scanning a company's attack surface for vulnerable entry points.
"This is a stark reminder that IT administrators benefit from having an accurate inventory of all their connected assets and cannot leave out-of-date critical business systems facing the public internet. If organisations have these devices anywhere on their network, they can be sure that cyber attackers will be attracted to them. Don't make life easy for cyber criminals."
Update, 23 September: Brandt's blog post said: "Despite the age of the software and the server, the attacker used fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by deleting logs and other artifacts that could be used in an investigation."
Asked how the two were connected — the age of the software/server and the techniques used — a Sophos spokesperson responded: "The software age thing is weird. So, they used exploits that are fairly old at this point. The exploits are old because the software is very old.
"But the techniques the attackers used to cover their tracks, and their use of modern fileless infection techniques, is relatively recent in development. The juxtaposition of the old and new is what was most intriguing here, mainly because it was so unusual to see such old exploits in use.
"But once we realised the age of the software we were dealing with, it made more sense. And since this threat actor seems to have a history of going after old, vulnerable software, the pieces start to fit together."