Thought leadership. Threat analysis. Cybersecurity news and alerts.
Unpatched VPN Vulnerabilities: Attackers’ New Gateway to Gain Access to Victims’ Networks
A new report showed that ransomware attackers are using unpatched VPN vulnerabilities to gain access to victims’ networks.
Fortinet VPN Vulnerabilities
In the report “Vulnerability in FortiGate VPN servers is exploited in Cring ransomware attacks,” researchers at Kaspersky Lab found that the group behind the ransomware called “Cring” gained access to victims’ networks by exploiting CVE-2018-13379 – a known security vulnerability in Fortinet FortiOS under SSL VPN web portal that allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
According to researchers at Kaspersky Lab, CVE-2018-13379 vulnerability was used to extract the session file of the VPN Gateway. The session file contains valuable information, such as the username and plaintext password, the researchers said.
Researchers at Kaspersky Lab added that several days prior to the start of the main attack phase, the attackers performed test connections to the VPN Gateway. The attackers may have identified the vulnerable device themselves by scanning IP addresses, the researchers said, alternatively, they may have bought a ready-made list containing IP addresses of vulnerable Fortinet VPN Gateway devices as an offer to buy a database of vulnerable Fortinet VPN Gateway devices appeared on a dark web forum in autumn of 2020.
In a joint advisory "APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks," the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) reported that in March 2021 they observed threat actors scanning the internet for Fortinet VPN Gateway devices that didn’t apply the security patches to security vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. Fortinet, for its part, had issued a security patch for each of the said three security vulnerabilities.
CVE-2020-12812 is a security vulnerability in Fortinet VPN devices that can allow threat actors to log in successfully without being prompted for the second factor of authentication if they changed the case of their username. CVE-2019-5591, meanwhile, is a security vulnerability in Fortinet VPN Gateway devices that can allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” FBI and CISA said.
Typical of ransomware, Cring encrypts victims’ files and demands from victims to pay a certain amount (payable in bitcoin) in exchange for the decryption keys that would unlock the encrypted files.
Swisscom’s CSIRT and Kaspersky Lab reported that in the case of Cring ransomware attacks, after the attackers gained access to victims’ networks, they dropped into the victims’ networks customized Mimikatz and followed by CobaltStrike. Mimikatz is an open-source software that allows users to view and save authentication credentials.
CobaltStrike, meanwhile, refers to commercial penetration testing toolkits usually used by security researchers. Malicious software (malware) developers, meanwhile, have cracked and abused CobaltStrike for malicious purposes.
According to researchers at Kaspersky Lab, after Cring ransomware attackers gained access into the victim’s network by exploiting CVE-2018-13379, the attackers then dropped Mimikatz into the compromised system. The researchers said Mimikatz was used to steal the account credentials of Windows users who had previously logged in to the compromised system. With the help of Mimikatz, the attackers were able to compromise the domain administrator account.
After compromising the domain administrator account, the researchers said, Cring ransomware attackers distributed malware to other systems on the organization’s network through the use of Cobalt Strike. The Cobalt Strike Beacon backdoor, researchers at Kaspersky Lab said, provided the attackers with remote control of the infected system.
Cybersecurity Best Practices
Here are some of the best practices in order to prevent Cring ransomware attacks and ransomware attacks in general:
Keep all software up to date
The group behind Cring ransomware exploited the fact that despite the availability of a security patch for CVE-2018-13379, many users have delayed the application of this security patch. If your organization has delayed the application of the security patch for CVE-2018-13379, assume that your organization’s network has already been compromised.
Implement the principle of least privilege
Change the active directory policy in line with the principle of least privilege – a security best practice that requires limiting privileges to the minimum necessary to perform a job. An active directory policy that’s in line with the principle of least privilege only allows users to log in only to those systems needed to perform a function.
Practice Network Segmentation
Network segmentation refers to the practice of subdividing your organization’s network into sub-networks so that in case one sub-network is compromised, the other sub-networks won’t be affected. Restrict VPN access between sub-networks.
Steve E. Driz, I.S.P., ITCP