According to the Record, unpatched Fortinet VPN devices are being hacked to deploy a new strain of ransomware inside corporate networks, Russian security firm Kaspersky said today.

“Victims of these attacks include industrial enterprises in European countries,” Kaspersky senior security researcher Vyacheslav Kopeytsev said in a report today.

“At least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kopeytsev said, but without revealing the victim’s name.

All these attacks happened in Q1 2020, and they were carried out with a new strain of ransomware named Cring (other aliases include Vjiszy1lo, Ghost, Phantom) that was first discovered in January 2021.

While the ransomware was initially spotted by the security team of Swiss internet service provider Swisscom, very few details were available at the time.

The Kaspersky report published today sheds some light on how these attacks take place, and, according to Kopeytsev, Cring is the latest “human-operated ransomware strain.”

What this means is that infections with Cring usually happen after attackers orchestrate intrusions into corporate networks, expand their access to as many systems as possible, and only then run the ransomware during a hands-on-keyboard intrusion.

In Cring’s case, the initial intrusion vector appears to be Fortinet devices that haven’t been patched for the CVE-2018-13379 vulnerability.

According to Kaspersky, the intruders used exploits for this bug to access the VPN device, after which they used the Mimikatz open-source tool to dump credentials of Windows users who had previously logged in to the compromised VPN.

The attackers then used the credentials to connect to internal workstations on the victim’s internal network, where they used PowerShell scripts and the Cobalt Strike intrusion simulation framework to escalate access to even more internal systems, after which, as a last step, downloaded the Cring ransomware on each system, and proceeded to encrypt local files.

SpearTip’s engineers are closely monitoring the newly discovered Cring ransomware strain mentioned above. This situation highlights a problem among many victims of ransomware. They don’t have a security team monitoring their network for threats 24/7. SpearTip’s security operations center manages patches and protects organizations from being exploited through RDP (Remote Desktop Protocol). Turning on your computer to see your files encrypted is never ideal, especially when you’re trying to operate a business at the same time. That’s where SpearTip steps in.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.