How a VPN vulnerability allowed ransomware to disrupt two manufacturing facilities


Getty Images

Ransomware operators shut down two manufacturing facilities of a European manufacturer after deploying a relatively new trunk that encrypts servers that control the manufacturer’s industrial processes, a Kaspersky Lab researcher said Wednesday.

The ransomware known as Cring became public knowledge in a blog post in January. It falls back on networks by exploiting long-patched vulnerabilities in VPNs sold by Fortinet. The Directory Transfer Vulnerability tracked as CVE-2018-13379 could allow unauthenticated attackers to obtain a session file that contains the username and clear text password for the VPN.

For an initial household, a live cring operator conducts a reconnaissance and uses a customized version of the Mimikatz tool to extract the domain administrator credentials stored in server storage. Ultimately, the attackers use the Cobalt Strike framework to install Cring. In order to mask the ongoing attack, the hackers disguise the installation files as security software from Kaspersky Lab or other providers.

Once installed, the ransomware locks data using 256-bit AES encryption and encrypts the key using an RSA-8192 public key, which is hard-coded in the ransomware. A note left behind requires two bitcoins in exchange for the AES key that is used to unlock the data.

More for the money

In the first quarter of this year, Cring infected an unnamed manufacturer in Germany, Vyacheslav Kopeytsev, a member of Kaspersky Lab’s ICS CERT team, in an email. The infection spread to a server that hosted databases necessary for the manufacturer’s production line. As a result, the processes in two of the manufacturer-operated plants in Italy were temporarily suspended. Kaspersky Lab believes the shutdowns lasted two days.

“Various details of the attack indicate that the attackers carefully analyzed the infrastructure of the attacked organization and prepared their own infrastructure and their own toolset based on the information gathered during the investigation phase,” wrote Kopeytsev in a blog post. He continued, “An analysis of the attackers’ activities shows that, based on the intelligence conducted on the attacked organization’s network, they decided to encrypt the servers that the attackers believed would cause the most damage to the company’s business if they were lost. “


Incident responders eventually restored most, but not all, of the encrypted data from backups. The victim did not pay a ransom. There have been no reports of infections causing harmful or unsafe conditions.

Disregarding wise advice

In 2019, researchers observed hackers who actively attempted to exploit the critical vulnerability in FortiGate VPN. At that time, around 480,000 devices were connected to the Internet. Last week, the FBI and the Cybersecurity and Infrastructure Security Agency announced that CVE-2018-13379 was one of several FortiGate VPN vulnerabilities that are likely to be actively exploited for future attacks.

Fortinet announced in November that it had discovered a “large number” of VPN devices that had not been patched against CVE-2018-13379. According to the report, the company’s employees were aware of reports that the IP addresses of these systems had been sold in underground crime forums or that people were conducting Internet-wide scans to find unpatched systems themselves.

Kopeytsev not only failed to install updates, but also failed to install antivirus updates and restrict access to confidential systems to selected employees only.

It’s not the first time that malware has disrupted a manufacturing process. In 2019 and last year, Honda ceased production after being infected by the WannaCry ransomware and unknown malware. One of the world’s largest aluminum producers, Norsk Hydro from Norway, was hit by a ransomware attack in 2019 that shut down its global network, stopped or disrupted facilities and caused IT staff to return to normal operations.

Patching and reconfiguring devices in industrial environments can be especially costly and difficult, as many of them require constant operation to maintain profitability and stay on schedule. Shutting down an assembly line to install and test a security update or make changes to a network can result in real costs that are not trivial. Of course, having ransomware operators shut down an industrial process on their own is an even worse scenario.


Steven Gregory