Cybercriminals could exploit a security vulnerability in a VPN server to encrypt their network with a new form of ransomware, disrupting industrial facilities in the process.
Ransomware is detailed in a report by security firm Kaspersky, following an investigation into ransomware attacks on unspecified victims in Europe.
At least one of these facility-targeted attacks successfully used ransomware to encrypt industrial control servers, resulting in a temporary shutdown of operations. Kaspersky did not identify the victims of a successful ransomware attack or how the incident recovered, but elaborated on how network-encrypted ransomware and cybercriminals could access it.
Ransomware, known as Cring, first appeared in January and exploits a vulnerability in the FortiGate VPN server (CVE-2018-13379). Fortinet issued a security patch last year to fix the vulnerability, but cybercriminals can deploy exploits to networks that have not yet applied security updates.
By exploiting an unpatched VPN application, an attacker could gain remote access to a username and password and manually log in to the network.
From here, an attacker downloads Mimikatz, an open source application for viewing and storing credentials. This steals additional usernames and passwords and moves laterally through the network, deploying tools such as the legitimate intrusion software tool Cobalt Strike. To gain more control over attackers and infected systems.
to see: Cyber security winning strategy (ZDNet Special Report) | Download the report as a PDF (TechRepublic)
A malicious PowerShell script could then be used by an attacker to use Cring ransomware to encrypt all compromised systems across the network. At this point, an attacker’s note tells the victim that the network is ransomware-encrypted and a ransom must be paid in Bitcoin to restore the network.
There is no information on how the incident at a European industrial facility was resolved, but researchers found that the failure to apply security patches to protect against known vulnerabilities was the “main cause” of the incident. It says that it was.
Other factors that have allowed attackers to deploy ransomware on their networks include the lack of timely security updates applied to antivirus software that is supposed to protect the network, and one of the antivirus measures. A component of the department is turned off, which reduces the ability to detect intrusions or malicious activity.
This particular network configuration method assisted an attacker by allowing them to move between different systems that did not need to be on one network.
“There were no restrictions on access to different systems, which meant that all users could access all systems. With such a setting, an attacker could gain access by compromised only one user account. , Distributes malware more quickly over corporate networks. It works with many systems, “said Vyacheslav Kopeytsev, senior security researcher at Kasperky.
To protect your network from Cring ransomware attacks, we recommend that you apply security updates related to FortiGate VPN servers to prevent the exploitation of known vulnerabilities.
We also recommend that you limit VPN access to those who need VPN access for operational reasons and close ports that do not need to be exposed to the open web.
Researchers also suggest that critical systems are backed up offline, so if the worst happens and your network is the victim of a ransomware attack, you can restore it without paying the criminals.
Cyber security details
Ransomware scammers target VPN devices vulnerable to attacks
Source link Ransomware scammers target VPN devices vulnerable to attacks