This nasty ransomware hacks your VPN to break into your device

Cybercriminals continue to target unpatched Fortigate VPN servers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybercriminals have begun exploiting vulnerabilities inVPNservers in order to infect devices and corporate networks with the Cring ransomware according to new research fromKaspersky.

At the beginning of this year, a series of attacks was launched using this new ransomware and at the time, it was unclear how the attackers responsible were able to infect the network of an unspecified organization in Europe. However, following an investigation conducted by Kapsersky ICS CERT experts, it was revealed that unpatched VPN vulnerabilities were to blame.

Back in 2019, theCVE-2018-13379vulnerability in Fortigate VPN servers became widely known. While the issue was addressed and patched by the company, some organizations did not update their VPN servers. In fact, so many companies failed to do so that ready-made lists containing the IP addresses of vulnerable servers and internet-facing devices began appearing ondark webforums last fall.

We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.

Click here to start the survey in a new window«

With these IP addresses in hand, cybercriminals are able to connect to a vulnerable VPN server remotely and access the session file which contains usernames and passwords stored in clear text.

Cring ransomware

According to Kaspersky’s investigation, attackers are exploiting the CVE-2018-13379 vulnerability in Fortigate VPN servers to gain access to enterprise networks and infect organizations with the Cring ransomware.

In apress release, security expert at Kaspersky Vyacheslav Kopeytsev provided further insight on the attack that occurred at the beginning of this year, saying:

“Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage. For example, the host server for the malware from which the Cring ransomware was downloaded had infiltration by IP address enabled and only responded to requests from several European countries. The attackers’ scripts disguised the activity of the malware as an operation by the enterprise’s antivirus solution and terminated the processes carried out by database servers (MicrosoftSQL Server) and backup systems (Veeam) that were used on systems selected for encryption.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The ICS CERT experts at Kaspersky believe that the lack of timely database updates for the affected organization’s security solution also played a key role as this prevented it from detecting and blocking the threat. Additionally, some components of theirantivirussolution were disabled and this left them more vulnerable.

To protect networks and devices from the Cring ransomware, Kaspersky recommends that organizations keep their VPN Gateway firmware updated to the latest version, keependpoint protectionsolutions and databases updated to the latest versions, restrict VPN access between facilities and close all ports that are not required.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Should your VPN always be on?

3 reasons why PIA fell in our best VPN rankings

Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’