Ransomware Demands Two Bitcoin in Payment Disguising as Security Software While Exploiting VPN Weakness: Two Manufacturing Plants Shut Down
Screenshot From Pexels Official Website
Ransomware operators were able to shut down two essential production facilities that belonged to a European manufacturer shortly after deploying what was seen as a relatively new strain. This ransomware suddenly encrypted servers responsible for controlling the manufacturer’s total industrial processes according to a Kaspersky Lab researcher.
The ransomware is reportedly known as Cring, and it first became known to the public back in January in a blog post. It also takes hold of large networks by exploiting certain long-patched vulnerabilities in VPNs that are sold by Fortinet. Tracked by its official name CVE-2018-13379, the directory transversal vulnerability would allow certain unauthenticated hackers to be able to obtain a session file that would contain the username as well as the plaintext password for the said VPN.
With an initial toehold, according to Ars Technica, a live Cring operator would perform reconnaissance and would use a customized version of the popular Mimikatz tool in order to try to extract the domain administrator credentials that remain stored within the server memory. Eventually, the attackers would use the Cobalt Strike framework in order to install Cring.
To mask what they are doing, the hackers would disguise the installation files as simple security software coming from Kaspersky Lab or some other providers. Once it is installed, the ransomware would lock up data using the 256-bit AES encryption and encrypt the main key using a different RSA-8192 public key that is hardcoded deep into the ransomware. A note would then be left behind demanding the payment of two bitcoins in exchange for the said AES key which would allow the owners to unlock the data.
During the first quarter of this 2021, Cring infected a certain unnamed manufacturer in Germany, Vyacheslav Kopeytsev, which is a member of Kaspersky Lab’s very own ICS CERT team according to an email. The infection was able to spread to a server that was hosting databases that were required for the main manufacturer’s production line.
As a result of this, processes were actually temporarily shut down inside of two Italy-based facilities that were operated by the manufacturer. Kaspersky Lab estimates and believes that the shutdown lasted a full two days.
Kopeytsev wrote in a recent blog post saying various details of the said attack actually indicate that the attackers had been carefully analyzing the whole infrastructure of the attacked organization. It also said they even prepared their very own infrastructure as well as a toolset that was based on the results of the whole reconnaissance stage.
He then stated that an analysis of the attackers’ recent activity shows that based on the main results of reconnaissance that was performed on the attacked organization’s network, they actually chose to encrypt those said servers the loss of which the attackers initially believed would cause massive damage to the enterprise’s total operations.
This article is owned by Tech Times
Written by Urian Buenconsejo
ⓒ 2021 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944
Copyright ©2021 Developed By DIGITPOL