Vyacheslav Kopeytsev, a senior security researcher at global security firm Kaspersky's Industrial Control Systems Computer Emergency Response Team, said in a blog post that threat actors had conducted attacks using Cring in the first quarter of this year, but at that stage it was unclear as to what the infection vector was.
However, the firm discovered that the Fortigate VPN servers were the point of entry, Kopeytsev said.
The ransom note left by the Cring ransomware. Courtesy Kaspersky ICS CERT
"Fortigate devices are vulnerable to a directory traversal attack, which allows an attacker to access system files on the Fortigate SSL VPN appliance," he wrote.
A number of days before the actual attack, the attackers tested out connections to the VPN Gateway, possibly to check that the software version on the device was vulnerable.
Either a scan of IP addresses or the use of a ready-made list containing IP addresses of vulnerable Fortigate VPN Gateway devices could have been used to identify the vulnerable entry point, Kopeytsev said, adding, "In autumn 2020, an offer to buy a database of such devices appeared on a dark web forum."
The attackers used a PowerShell script to decrypt their payload: the Cobalt Strike Beacon backdoor which gave them remote control of the infected system.
After that, the Cring ransomware was downloaded and after encryption, it dropped a ransom note.
Kopeytsev offered the following tips to avoid falling victim to this attack:
- Update the software of the SSL VPN Gateway to the latest versions;
- Update anti-malware solutions to the latest versions;
- Always keep anti-malware databases updated to the latest versions;
- Make sure that all modules of anti-malware solutions are always enabled;
- Change the active directory policy: allow users to log in only to those systems which are required by their operational needs;
- Restrict VPN access between facilities, close all ports that are not required by operational needs;
- Configure the back-up system to store back-up copies on a dedicated server;
- Store at least three back-up copies for each critical system;
- Store at least one back-up copy of each server on a dedicated, standalone storage medium, such as a hard drive; and
- Verify the integrity of back-up copies on a regular basis.