Full Report
An incident investigation conducted by Kaspersky ICS CERT experts at one of the attacked enterprises revealed that attacks of the Cring ransomware exploit a vulnerability in FortiGate VPN servers.
Analysis Summary
# Incident Report: Cring Ransomware Exploitation of FortiGate VPN Vulnerabilities
## Executive Summary
Threat actors gained unauthorized access to an industrial enterprise’s network by exploiting a known vulnerability (CVE-2018-13379) in unpatched FortiGate VPN servers. Once inside, the attackers moved laterally to compromise the domain controller and deployed Cring ransomware, leading to a complete shutdown of the facility's production process.
## Incident Details
- **Discovery Date:** Q1 2021
- **Incident Date:** January - March 2021
- **Affected Organization:** Unnamed Industrial Enterprise
- **Sector:** Manufacturing / Industrial (ICS)
- **Geography:** Europe
## Timeline of Events
### Initial Access
- **Date/Time:** Several days prior to encryption.
- **Vector:** Exploitation of CVE-2018-13379 in FortiOS.
- **Details:** Attackers exploited an unpatched FortiGate VPN server to download the `sslvpn_websession` session file, which contained cleartext credentials of users who had recently connected to the VPN.
### Lateral Movement
- **Credential Theft:** Attackers utilized Mimikatz to extract administrative credentials from memory on compromised workstations.
- **Propagation:** Using the hijacked administrative accounts, the attackers utilized Cobalt Strike and PowerShell to move from the VPN gateway to the internal network and eventually to the Domain Controller.
### Data Exfiltration/Impact
- **Operational Impact:** The primary goal was encryption rather than theft. After gaining control of the Domain Controller, the attackers deployed the Cring ransomware via malicious scripts.
- **Encryption:** All servers and workstations associated with the production process were encrypted, causing a total halt in manufacturing operations.
### Detection & Response
- **Discovery:** The incident was detected when employees lost access to files and ransom notes appeared on screens.
- **Response actions taken:** Incident response teams conducted a forensic analysis, isolated the infected segments, and began the restoration process from backups (where available).
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2018-13379 (Path Traversal) on FortiGate SSL VPN.
- **Persistence:** Installation of Cobalt Strike beacons and creation of scheduled tasks.
- **Privilege Escalation:** Use of Mimikatz to dump LSASS memory and obtain Domain Admin credentials.
- **Defense Evasion:** Use of legitimate administrative tools (PowerShell, WMI) and obfuscated scripts; disabling of antivirus software via scripts.
- **Credential Access:** Extraction of cleartext session files from VPN and Mimikatz.
- **Discovery:** Scanned internal network for servers, specifically targeting the Domain Controller and backup servers.
- **Lateral Movement:** Cobalt Strike, PowerShell, and RDP.
- **Collection:** Mapping of network shares and databases.
- **Exfiltration:** N/A (Focus was on encryption).
- **Impact:** Deployment of Cring ransomware (.cring extension) and deletion of Volume Shadow Copies.
## Impact Assessment
- **Financial:** Significant losses due to production downtime and incident response costs.
- **Data Breach:** Loss of data availability; integrity of industrial control configurations compromised.
- **Operational:** Total shutdown of production lines at the affected plant.
- **Reputational:** Potential loss of customer trust in the supply chain.
## Indicators of Compromise
- **Network Indicators:**
- Connectivity to `91[.]218[.]114[.]31` (C2 server)
- Connectivity to `188[.]165[.]209[.]202`
- **File Indicators:**
- `kaspersky_assistant.exe` (Fake binary used for malicious activity)
- `__system__.exe` (Cring Ransomware executable)
- `temp.ps1` (Malicious PowerShell script)
- **Behavioral Indicators:**
- High volume of `sslvpn_websession` file access on FortiGate devices.
- Massive execution of `taskkill` commands targeting database and backup software.
## Response Actions
- **Containment:** Disconnected the FortiGate VPN from the network and forced password resets for all domain accounts.
- **Eradication:** Removed Cobalt Strike beacons and cleaned infected registry keys.
- **Recovery:** Restored production systems from offline backups after verifying the integrity of the backup data.
## Lessons Learned
- **Patch Management:** The vulnerability exploited (CVE-2018-13379) had a patch available for nearly two years; the delay in patching critical edge devices was the primary root cause.
- **Antivirus Gaps:** Antivirus solutions were either not installed on all servers or were manually disabled by attackers due to compromised admin credentials.
- **VPN Security:** Cleartext credential storage in session files highlights the danger of legacy software versions.
## Recommendations
- **Immediate Patching:** Update FortiOS to the latest version immediately to remediate CVE-2018-13379.
- **Multi-Factor Authentication (MFA):** Implement MFA for all VPN connections to prevent credential reuse.
- **Endpoint Protection:** Ensure EDR/AV is configured with tamper protection to prevent attackers from disabling security services.
- **Network Segmentation:** Isolate the Industrial Control System (ICS) network from the corporate/VPN network.
- **Review Logs:** Regularly audit VPN access logs for unusual IP addresses or unauthorized file access.