By exploiting a vulnerability in FortiOS (an operating system that is mainly used on Fortigate SSL VPN products from Fortinet), attackers have recently managed to infiltrate malware with the name “Cring” into victim networks in order to make entire systems inaccessible in the worst case. Western industrial companies seem to be the most affected. Find out what the attack looks like and what you can do to prevent it.
What happened?
Last week, security researchers from the software company Kaspersky reported the discovery of a new ransomware. This is a program that encrypts files or entire systems and then demands a ransom from the user in order to release them again. Among other things, cybercriminals use the newly discovered software by exploiting unpatched “Fortigate SSL VPN” products – i.e. via devices without current security updates. The researchers found that mainly industrial companies in European countries are targets of these attacks. The malware was named “Cring ransomware.” The first discovery of the vulnerability used to distribute the malware, which was given the number CVE-2018-13379, occurred back in 2018, and Fortinet devices have been attacked several times since then. The initially described combination of the vulnerability already known since 2018 in connection with the new malware “Cring is a newly discovered threat that should not be ignored due to its serious consequences.
What are the risks for my company?
If successful, this remote attack can lead to files and computers being encrypted and thus no longer usable. Most importantly, servers that are used to control the industrial process (for example, to manufacture goods) can also be encrypted – as a result, the process would also be shut down.
How does the attack work in detail?
The entire attack is multi-stage and complex. The first access is gained by the perpetrators via unclosed exploits and thus vulnerable Fortinet VPN devices. This does not directly allow the FortiOS devices themselves to be compromised. But it does enable the attackers to obtain all username and password combinations of all VPN users (who have authenticated at least once to the device) – if the device’s VPN endpoint is configured to provide VPN services to the enterprise.
If the attacker gains access to this information, he can use the VPN credentials of an employee of the company to get into the internal network accessed through the VPN tunnel. First and foremost, this does not mean that a criminal can compromise every system on the network just by exploiting this one vulnerability. But he gains a better insight into the network. This way, it is possible to launch other attacks. If the victim is careless, the VPN accounts are tied to the domain accounts. This may make it possible to log in to a computer with remote access and infect the network from there.
What can I do?
We recommend that you proceed in several steps:
Step 1
Check whether you or your company use Fortigate SSL VPN products. Since the devices have to be purchased or rented, this should be researched through IT administration or, if necessary, through accounting.
Step 2
If so, check which version you have. The following versions are vulnerable:
FortiOS 6.0 – 6.0.0 through 6.0.4.
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12
Step 3
Update the unit’s software to the latest version. Remember to always keep the systems updated, even if your devices are not included in the list of vulnerable devices above.
Step 4
Update your security software to the latest versions and always keep them up to date. Also, make sure that all modules of your security solutions are always enabled.
Step 5
Review your organization’s security policies and ensure that users are only allowed to log on to systems that are necessary for their operational needs.
Step 6
Restrict VPN access between different sites, close all ports that are not needed for operational purposes.
Step 7
Ensure you have at least three regularly updated backups of your critical systems that would allow you to restore your operations in the event of an unforeseen attack.
If you have any questions or suspect that you have been attacked, please do not hesitate to contact us.