The Cring ransomware group continues to make a name for itself with attacks on aging ColdFusion servers and VPNs after emerging earlier this year.
Experts like Digital Shadows Sean Nikkel told ZDNet that what makes Cring interesting is that so far they seem to specialize in using older vulnerabilities in their attacks.
“In a previous incident, Cring operators exploited a two-year-old FortiGate VPN vulnerability to target end-of-life Microsoft and Adobe applications. or unsupported systems that are exposed to the Internet in general, ”Nikkel said.
“While Cring has operators who have used Mimikatz on systems to obtain credentials, there is also evidence of the use of native Windows processes, which potentially intermingle with otherwise legitimate activity. This can often make it more difficult for network hunters and advocates to see anything malicious until it’s too late. This attack and previous ones also highlight the adoption and continued use of Cobalt Strike beacons by various threat actors, often making it easier for attackers to manage the post-exploitation phase. “
Sophos released a report in September highlighting a specific incident in which Cring operators exploited a vulnerability in an 11-year-old installation of Adobe ColdFusion 9 to take control of a ColdFusion server remotely.
Sophos successfully linked the group using the Cring ransomware to hackers in Belarus and Ukraine who used automated tools to break into the servers of an anonymous service company.
Hackers used their automated tools to travel 9,000 paths through corporate systems in 75 seconds. Three minutes later, they were able to exploit a vulnerability in the outdated Adobe program that allowed them to get their hands on files from servers that were not supposed to be accessible to the public. They grabbed a file called “password properties” and wrote scrambled code above their “footprints” to cover their tracks. Then they waited two and a half days, returned to the corporate network, granted themselves administrator privileges, and issued a sardonic ransom note.
Hackers were also able to access timesheets and payroll accounting data before breaching the internet server within minutes and running the ransomware 79 hours later.
Andrew Brandt, senior researcher at Sophos, said Cring ransomware is nothing new, but rare.
“In the incident we researched, the target was a service company, and all it took to break in was an Internet-connected machine running old, outdated, uncorrected software. The surprising thing is that this server was active on a daily basis. Often the most vulnerable devices are idle or ghost machines, forgotten or neglected when it comes to patches and upgrades, ”said Brandt.
“But regardless of their status – in use or inactive – servers or other devices connected to the Internet that are not patched are prime targets for cyber attackers who scan a company’s attack surface for points. vulnerable entry. It’s a stark reminder that IT administrators benefit from having an accurate inventory of all of their connected assets and cannot leave critical business systems obsolete in the face of the public Internet. If organizations have these devices anywhere on their network, they can be sure that attackers will be attracted to them. Make life easier for cybercriminals. “
The attack identified by Sophos revealed that hackers scanned the victim’s website with automated tools and had easy access to it once they found the unpatched ColdFusion on a server.
Sophos researchers noted that Cring operators “were using fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by overwriting files with truncated data or by removing logs and other artifacts that threat hunters could use in an investigation ”.
After bypassing the security features, the hackers left a note saying “ready to flee in case we can’t get a good deal.”
Pavel Kuznetsov, deputy general manager of cybersecurity technologies for Positive Technologies, told ZDNet that Cring operators are regularly interested in performing deep enough discovery inside the network before their ransomware is directly infected.
“Among the targets are often the infrastructures of industrial organizations. In addition, ICS segments are selected to be infected with ransomware, obviously with the aim of endangering the associated processes (production, etc.),” Kuznetsov said. .
Alexey Vishnyakov, head of malware detection at Positive Technologies, added that the group gets its core consolidation through exploiting day-to-day vulnerabilities in services at the edge of the organization, such as servers. Web, VPN solutions, etc., or by purchasing access to intermediaries on ghost forums. or other methods.
“The group uses Mimikatz to move around within an organization. It uses the Cobalt Strike slope test tool to secure it within the network for hosts. After taking control of the network, it downloads and distributes the ransomware, ”Vishnyakov said.
Vishnyakov echoed Kuznetsov’s analysis that Cring was focused on attacking industrial companies, hoping to force the suspension of production processes and financial losses in order to force victims to pay ransoms.
“It is far from the first and it will not be the last criminal group to act under the scheme of compromising an unpatched vulnerability and encrypting data,” Vishnyakov said.
“A series of successful production penetrations and infections is particularly dangerous. The risks include not only blackmail and financial consequences – these attacks could also lead to accidents and death.