Ransomware operators were able to shut down two essential production facilities that belonged to a European manufacturer shortly after deploying what was seen as a relatively new strain. This ransomware suddenly encrypted servers responsible for controlling the manufacturer's total industrial processes according to a Kaspersky Lab researcher.
Ransomware Attack to VPN Weakness
The ransomware is reportedly known as Cring, and it first became known to the public back in January in a blog post. It also takes hold of large networks by exploiting certain long-patched vulnerabilities in VPNs that are sold by Fortinet. Tracked by its official name CVE-2018-13379, the directory transversal vulnerability would allow certain unauthenticated hackers to be able to obtain a session file that would contain the username as well as the plaintext password for the said VPN.
With an initial toehold, according to Ars Technica, a live Cring operator would perform reconnaissance and would use a customized version of the popular Mimikatz tool in order to try to extract the domain administrator credentials that remain stored within the server memory. Eventually, the attackers would use the Cobalt Strike framework in order to install Cring.
Infection Spread to Hosting Databases
To mask what they are doing, the hackers would disguise the installation files as simple security software coming from Kaspersky Lab or some other providers. Once it is installed, the ransomware would lock up data using the 256-bit AES encryption and encrypt the main key using a different RSA-8192 public key that is hardcoded deep into the ransomware. A note would then be left behind demanding the payment of two bitcoins in exchange for the said AES key which would allow the owners to unlock the data.
During the first quarter of this 2021, Cring infected a certain unnamed manufacturer in Germany, Vyacheslav Kopeytsev, which is a member of Kaspersky Lab's very own ICS CERT team according to an email. The infection was able to spread to a server that was hosting databases that were required for the main manufacturer's production line.
Kaspersky Lab Estimates
As a result of this, processes were actually temporarily shut down inside of two Italy-based facilities that were operated by the manufacturer. Kaspersky Lab estimates and believes that the shutdown lasted a full two days.
Kopeytsev wrote in a recent blog post saying various details of the said attack actually indicate that the attackers had been carefully analyzing the whole infrastructure of the attacked organization. It also said they even prepared their very own infrastructure as well as a toolset that was based on the results of the whole reconnaissance stage.
He then stated that an analysis of the attackers' recent activity shows that based on the main results of reconnaissance that was performed on the attacked organization's network, they actually chose to encrypt those said servers the loss of which the attackers initially believed would cause massive damage to the enterprise's total operations.
This article is owned by Tech Times
Written by Urian Buenconsejo