Bitcoin ransomware attacked industrial facilities through a vulnerability in VPN servers

forklog.com17 hReading time: ~ 2 m


Kaspersky ICS CERT experts investigated a series of attacks using the Cring ransomware virus. Among the victims were industrial enterprises in European countries, from which hackers extorted bitcoins.

The attacks occurred in early 2021 and in at least one case led to a temporary halt in production at two Italian factories of an international industrial holding headquartered in Germany.

The researchers found that the Cring ransomware exploited a vulnerability in the Fortigate VPN servers to penetrate the system. It allows an attacker without authentication to connect to the device and remotely gain access to the session file, which contains the username and password in clear text.

The issue was fixed by the manufacturer in 2019, but still not all device owners have updated them. In the fall of 2020, offers to purchase a database of IP addresses of vulnerable devices began to appear on forums on the darknet.

After gaining access to the first system on the corporate network, Cring operators used the Mimikatz utility to steal Windows user accounts that had previously logged on to the originally compromised computer. With its help, the cybercriminals managed to steal the credentials of the domain administrator.

Then the hackers selected several systems that they considered important for the functioning of an industrial enterprise, and launched the Cring ransomware on them.

Attack scheme. Data: Kaspersky Lab.

For restoring access to encrypted servers, malware operators demanded a ransom in the amount of 2 BTC.

Ransom message. Data: Kaspersky Lab.

Various details of the attack indicate that the attackers have thoroughly studied the infrastructure of the attacked organization.

“The cybercriminals’ scripts masqueraded the activity of the malware as a security solution used in the enterprise, and terminated the processes of the database servers (Microsoft SQL Server) and backup systems (Veeam) used on the systems that were selected for encryption,” added Kaspersky ICS CERT.

To prevent attacks, the company’s specialists recommend timely updating the anti-virus databases and software modules of protective solutions used on devices.

Recall that at the end of March, the internal systems of the Canadian manufacturer of IoT devices Sierra Wireless were paralyzed due to the ransomware attack.

The unnamed malware encrypted the company’s internal network, which denied employees access to documents and systems related to production and planning.

Leave a comment