Thought leadership. Threat analysis. Cybersecurity news and alerts.
Unpatched VPN Vulnerabilities: Attackers’ New Gateway to Gain Access to Victims’ Networks
A new report showed that ransomware attackers are using unpatched VPN vulnerabilities to gain access to victims’ networks.
Fortinet VPN Vulnerabilities
In the report “Vulnerability in FortiGate VPN servers is exploited in Cring ransomware attacks,” researchers at Kaspersky Lab found that the group behind the ransomware called “Cring” gained access to victims’ networks by exploiting CVE-2018-13379 – a known security vulnerability in Fortinet FortiOS under SSL VPN web portal that allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
According to researchers at Kaspersky Lab, CVE-2018-13379 vulnerability was used to extract the session file of the VPN Gateway. The session file contains valuable information, such as the username and plaintext password, the researchers said.
Researchers at Kaspersky Lab added that several days prior to the start of the main attack phase, the attackers performed test connections to the VPN Gateway. The attackers may have identified the vulnerable device themselves by scanning IP addresses, the researchers said, alternatively, they may have bought a ready-made list containing IP addresses of vulnerable Fortinet VPN Gateway devices as an offer to buy a database of vulnerable Fortinet VPN Gateway devices appeared on a dark web forum in autumn of 2020.
In a joint advisory "APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks," the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) reported that in March 2021 they observed threat actors scanning the internet for Fortinet VPN Gateway devices that didn’t apply the security patches to security vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. Fortinet, for its part, had issued a security patch for each of the said three security vulnerabilities.
CVE-2020-12812 is a security vulnerability in Fortinet VPN devices that can allow threat actors to log in successfully without being prompted for the second factor of authentication if they changed the case of their username. CVE-2019-5591, meanwhile, is a security vulnerability in Fortinet VPN Gateway devices that can allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” FBI and CISA said.
Cring ransomware was first observed and reported by security researcher Amigo_A and Swisscom’s CSIRT in late January of this year.
Typical of ransomware, Cring encrypts victims’ files and demands from victims to pay a certain amount (payable in bitcoin) in exchange for the decryption keys that would unlock the encrypted files.
Swisscom’s CSIRT and Kaspersky Lab reported that in the case of Cring ransomware attacks, after the attackers gained access to victims’ networks, they dropped into the victims’ networks customized Mimikatz and followed by CobaltStrike. Mimikatz is an open-source software that allows users to view and save authentication credentials.
CobaltStrike, meanwhile, refers to commercial penetration testing toolkits usually used by security researchers. Malicious software (malware) developers, meanwhile, have cracked and abused CobaltStrike for malicious purposes.
According to researchers at Kaspersky Lab, after Cring ransomware attackers gained access into the victim’s network by exploiting CVE-2018-13379, the attackers then dropped Mimikatz into the compromised system. The researchers said Mimikatz was used to steal the account credentials of Windows users who had previously logged in to the compromised system. With the help of Mimikatz, the attackers were able to compromise the domain administrator account.
After compromising the domain administrator account, the researchers said, Cring ransomware attackers distributed malware to other systems on the organization’s network through the use of Cobalt Strike. The Cobalt Strike Beacon backdoor, researchers at Kaspersky Lab said, provided the attackers with remote control of the infected system.
Cybersecurity Best Practices
Here are some of the best practices in order to prevent Cring ransomware attacks and ransomware attacks in general:
Keep all software up to date
The group behind Cring ransomware exploited the fact that despite the availability of a security patch for CVE-2018-13379, many users have delayed the application of this security patch. If your organization has delayed the application of the security patch for CVE-2018-13379, assume that your organization’s network has already been compromised.
Implement the principle of least privilege
Change the active directory policy in line with the principle of least privilege – a security best practice that requires limiting privileges to the minimum necessary to perform a job. An active directory policy that’s in line with the principle of least privilege only allows users to log in only to those systems needed to perform a function.
Practice Network Segmentation
Network segmentation refers to the practice of subdividing your organization’s network into sub-networks so that in case one sub-network is compromised, the other sub-networks won’t be affected. Restrict VPN access between sub-networks.
What Is Cryptomining Attack and How to Prevent Such Attack
The price of Bitcoin, the recognized leader among thousands of cryptocurrencies, has skyrocketed from $100 in 2013 to nearly $60,000 in March 2021.
The dizzying rise, not just by Bitcoin but by other cryptocurrencies as well, gives rise to the cyberattack known as “cryptomining attack.”
What Is Cryptomining Attack?
In cryptomining, also known as cryptojacking, an attacker uses the computing power of others, without the knowledge and permission from the owners of the computing power.
Bitcoin and other cryptocurrencies are virtual currencies. They only exist online and they’ve no physical notes or coins.
If done with the knowledge and permission of the computing power owner, cryptomining is legal. It’s important to note, however, that some countries ban cryptomining and cryptocurrency in general.
Many cryptocurrencies use cryptomining – the use of the processing power of computers to solve complex mathematical problems and verify cryptocurrency transactions. Crypto miners, meanwhile, are rewarded a certain amount of cryptocurrency for the use of computing power.
Cryptomining can be done on physical computers and via cloud computing. With physical computers, cryptomining attacks can easily be detected through a noticeable slowdown in device performance, reduction in productivity of the device, and unexpected increases in electricity costs.
With cloud-based cryptomining attacks, threat actors can illicitly use cloud computing resources for a long time without detection. Typically, cloud-based cryptomining attacks are only discovered when the victim finds an inflated cloud usage bill.
Prevalence of Cryptomining Attacks
Cryptomining attacks have been around for years. The noticeable uptick of cryptomining attacks happened in 2017 when the Bitcoin price reached $20,000.
Internet Exposed Kubernetes Pods
In February 2018, researchers at RedLock reported that Tesla fell victim to cryptomining attack. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” RedLock researchers said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.”
The cryptocurrency that was mined using Tesla’s computing resources was Monero. To date, the price of Monero is $261.57.
QNAP NAS Vulnerabilities
Researchers at 360 Netlab reported that on March 2, 2021, they detected attacks targeting QNAP NAS devices via the unauthorized remote command execution vulnerabilities, specifically CVE-2020-2506 and CVE-2020-2507.
CVE-2020-2506 is a security vulnerability in the QNAP NAS device that allows attackers to compromise the device’s software security, allowing the attackers to gain privileges, or reading sensitive information. CVE-2020-2507, meanwhile, is a command injection vulnerability in the QNAP NAS device that can allow remote attackers to run arbitrary commands.
Successful exploitation of CVE-2020-2506 and CVE-2020-2507, researchers at 360 Netlab said, allowed the attacker to gain root privilege on the devices and perform cryptomining attacks. Researchers at 360 Netlab named the malicious software (malware) that exploits CVE-2020-2506 and CVE-2020-2507 in QNAP NAS devices and conduct cryptomining activities on these devices as “UnityMiner.”
UnityMiner, 360 Netlab researchers said, allows the attackers to hide the illicit cryptomining process and the real CPU memory resource usage information. With UnityMiner, the researchers said, QNAP users who check the system usage via the WEB management interface cannot see the abnormal system behavior.
In January 2021, Imperva researchers reported a botnet in which one of its primary activities was performing cryptomining attacks.
Botnet, also known as zombie army, is a group of hijacked internet-connected computers each injected with malware and controlled from a remote location by an attacker to perform malicious activities such as cryptomining. According to Imperva researchers, the malware that they discovered exploited the security vulnerability designated as CVE-2021-3007.
The CVE-2021-3007 vulnerability has two opposing claims: one claim is that this is a Zend Framework vulnerability that can lead to remote code execution; the other claim, meanwhile, is that this is a "vulnerability in the PHP language itself."
According to Imperva researchers, successful exploitation of CVE-2021-3007 allows the attackers to run XMRig – a legitimate open-source software that utilizes system CPUs to mine the cryptocurrency Monero. Cybercriminals, however, abuse XMRig to earn cryptomining revenue by launching cryptomining attacks on victims’ computing resources.
In the case of a botnet, once a victim’s computer is enslaved as one of the zombie armies and injected with malware and controlled from a remote location by an attacker to perform malicious activities, there’s no limit to what the attacker can do. In addition to illicit cryptomining, your organization’s computers could be used for other malicious activities such as distributed denial-of-service (DDoS) attacks.
Best Practices to Prevent Cryptomining Attacks
Here are some of the best practices in order to prevent threat actors from using your organization’s computing power for illicit cryptomining:
Steve E. Driz, I.S.P., ITCP