By exploiting a vulnerability in FortiOS (an operating system that is mainly used on Fortigate SSL VPN products from Fortinet), attackers have recently managed to infiltrate malware called “Cring” into victim networks in order to make entire systems inaccessible in the worst case. Western industrial companies seem to be particularly affected. Find out what the attack looks like and what you can do to prevent it.
What happened?
Last week, security researchers from the software company Kaspersky reported on the discovery of a new ransomware. This is a program that encrypts files or entire systems, after which a ransom is demanded from the user so that they can be released again. Cybercriminals use the newly discovered software by exploiting unpatched “Fortigate SSL VPN” products – i.e. via devices without current security updates. The researchers found that industrial companies in European countries are the main targets of these attacks. The malware was named “Cring ransomware”. The vulnerability used to distribute the malware, which was assigned the number CVE-2018-13379, was first discovered in 2018. Since then, Fortinet devices have been attacked several times. The combination of the vulnerability related to the new malware “Cring”, which has been known since 2018, described at the beginning is a newly discovered threat that should not be ignored due to its severe consequences.
What are the risks for my company?
If successful, this remote attack can lead to files and computers being encrypted and thus unusable. Above all, however, servers used to control the industrial process (for example, for the production of goods) can also be encrypted – as a result, the process would also be shut down.
How does the attack work in detail?
The entire attack is multi-stage and complex. The perpetrators gain initial access via unclosed vulnerabilities and thus vulnerable Fortinet VPN devices. This does not directly allow the FortiOS devices themselves to be compromised. But it does enable attackers to obtain all username and password combinations of all VPN users (who have authenticated to the device at least once) – if the device’s VPN endpoint is configured to provide VPN services to the company.
If the attacker gains access to this information, they can use the VPN credentials of an employee of the company to get into the internal network, which is made accessible via the VPN tunnel. First and foremost, this does not mean that a criminal can compromise every system on the network just by exploiting this one vulnerability. But he gains a better insight into the network. In this way, it is possible to launch other attacks. If the victim is negligent, the VPN accounts are tied to the domain accounts (as in the example of Kaspersky). This may make it possible to log on to a computer with remote access and infect the network from there.
What can I do?
We recommend that you proceed in several steps:
Step 1
Check if you or your company have Fortigate SSL VPN products . Since the devices have to be bought or rented, this should be researched via the IT administration or, if necessary, via the accounting department.
Step 2
If so, check which version you have. The following versions are vulnerable:
FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12
Step 3
Update the device’s software to the latest version. Remember to always keep the systems up to date, even if your devices are not listed in the list of vulnerable devices above.
Step 4
Update your security software to the latest versions and always keep it up to date. Also, make sure that all modules of your security solutions are always activated.
Step 5
Review your organization’s security policies and ensure that users are only allowed to log on to the systems that are required for their operational needs.
Step 6
Restrict VPN access between different locations, close all ports that are not needed for operational purposes.
Step 7
Make sure you have at least three regularly updated backup copies of your critical systems that would allow you to restore your operations in the event of an unforeseen attack.
If you have any questions or suspect that you have been attacked, do not hesitate to contact us.
