Skip to main content

How a VPN vulnerability allowed ransomware to disrupt two manufacturing plants

posted onApril 8, 2021
by l33tdawg
Arstechnica
Credit: Arstechnica

Ransomware operators shut down two production facilities belonging to a European manufacturer after deploying a relatively new strain that encrypted servers that control a manufacturer's industrial processes, a researcher from Kaspersky Lab said on Wednesday.

The ransomware, known as Cring, came to public attention in a January blog post. It takes hold of networks by exploiting long-patched vulnerabilities in VPNs sold by Fortinet. Tracked as CVE-2018-13379, the directory transversal vulnerability allows unauthenticated attackers to obtain a session file that contains the username and plaintext password for the VPN.

With an initial toehold, a live Cring operator performs reconnaissance and uses a customized version of the Mimikatz tool in an attempt to extract domain administrator credentials stored in server memory. Eventually, the attackers use the Cobalt Strike framework to install Cring. To mask the attack in progress, the hackers disguise the installation files as security software from Kaspersky Lab or other providers. Once installed, the ransomware locks up data using 256-bit AES encryption and encrypts the key using an RSA-8192 public key hardcoded into the ransomware. A note left behind demands two bitcoins in exchange for the AES key that will unlock the data.

Source

Tags

Security

You May Also Like

Recent News

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Friday, June 7th