Cring Ransomware Harnesses 11-Year-Old Adobe ColdFusion Software to Launch Advanced Attack, Sophos Research Reveals
OXFORD, UK, September 21, 2021 (GLOBE NEWSWIRE) – Sophos, a global leader in next-generation cybersecurity, has released a study, “Cring Ransomware Exploits Ancient ColdFusion Server,” describing a sophisticated attack that ransomware operators Cring mounted against a target after they hacked a server running an uncorrected, 11-year-old version of Adobe’s ColdFusion 9 software. The target used the server to collect timesheets and accounting data for payroll and to host multiple virtual machines. The attackers breached the internet server within minutes and executed the ransomware 79 hours later.
“Devices running vulnerable and outdated software are easy to use for cyber attackers looking for an easy way to reach a target,” said Andrew Brandt, senior researcher at Sophos. “Cring ransomware is not new, but it is rare. In the incident we investigated, the target was a service company, and all it took to break in was an Internet-connected machine running old, outdated, and uncorrected software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are idle or ghost machines, forgotten or neglected when it comes to patches and upgrades.
“But, regardless of their status – in use or inactive – servers or other devices connected to the Internet unpatched are prime targets for cyber attackers who scan a company’s attack surface for points. vulnerable entry. This is a stark reminder that IT administrators benefit from an accurate inventory of all of their connected assets and cannot leave critical business systems obsolete in the face of the public Internet. If organizations have these devices anywhere on their network, they can be sure that cyber attackers will be attracted to them. Don’t make life easier for cybercriminals.
Sophos analysis shows that attackers first scanned the target’s website using automated tools and were able to break in within minutes once they identified it was running ColdFusion unpatched on a server.
Sophos discovered that after the initial breach, attackers were using fairly sophisticated techniques to conceal their files, inject code into memory, and muddle through by overwriting files with truncated data or deleting logs and other artifacts that hunters did. of threats could use in an investigation. . Attackers were also able to disable security products because the Tamper Protection feature was disabled.
The attackers issued a ransom note stating that they also exfiltrated data “ready to go in case we can’t get a good deal.”
Sophos recommends the following best practices to help you defend against Cring and other types of ransomware and associated cyber attacks:
At the strategic level:
- Deploy layered protection. As more and more ransomware attacks begin to involve extortion, backups are still needed, but insufficient. It’s more important than ever to ward off opponents or detect them early, before they cause damage. Use layered protection to block and detect attackers at as many points as possible in a domain
- Combine human experts with anti-ransomware technology. The key to stopping ransomware is defense in depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation an organization needs, while human experts are best placed to detect revealing tactics, techniques, and procedures that indicate an attacker is attempting to enter the environment. If organizations don’t have the skills in-house, they can turn to cybersecurity specialists
At the daily tactical level:
- Monitor and respond to alerts. Ensure that the appropriate tools, processes, and resources (people) are available to monitor, investigate, and respond to threats observed in the environment. Ransomware attackers often schedule their strike during off-peak hours, weekends, or holidays, assuming little or no staff are monitoring
- Set and enforce strong passwords. Strong passwords are one of the first lines of defense. Passwords should be unique or complex and never be reused. This is easier to achieve with a password manager that can store staff credentials.
- Use multi-factor authentication (MFA). Even strong passwords can be compromised. Any form of multi-factor authentication is better than none at securing access to critical resources such as email, remote management tools, and network assets
- Lock accessible services. Perform outside network scans and identify and lock down ports commonly used by VNC, RDP, or other remote access tools. If a machine needs to be accessed using a remote management tool, place that tool behind a VPN or zero-trust network access solution that uses MFA as part of its connection.
- Practice segmentation and zero trust. Separate critical servers from each other and workstations by placing them in separate VLANs as you work towards a zero trust network model
- Perform offline backups of information and applications. Keep backups up to date, ensure their recoverability and keep a copy offline
- Inventory your assets and accounts. Unknown, unprotected, and unpatched devices on the network increase risk and create a situation where malicious activity could go unnoticed. It is essential to have an up-to-date inventory of all connected compute instances. Use network scans, IaaS tools, and physical controls to locate and catalog them, and install endpoint protection software on all unprotected machines
- Make sure the security products are configured correctly. Under-protected systems and devices are also vulnerable. It is important to make sure that the security solutions are correctly configured and to check and, if necessary, to validate and update the security policies regularly. New security features are not always activated automatically. Do not disable tamper protection and do not create extended detection exclusions, as this will make an attacker’s job easier
- Audit Active Directory (AD). Perform regular audits on all accounts in AD, making sure none have more access than is necessary for their purpose. Deactivate accounts for employees who leave as soon as they leave the company
- Patch everything. Keep Windows and other operating systems and software up to date. It also means double checking that the fixes were installed correctly and are in place for critical systems such as machines connected to the Internet or domain controllers. In the incident reported here, support for the server’s Adobe ColdFusion 9 software as well as the underlying Windows 2008 operating system had been discontinued by their respective vendors, meaning they were no longer receiving updates. software updates.
Sophos Endpoint products detect the Cring ransomware executable as Troj / Ransom-GKG and Cobalt Strike tags as AMSI / Cobalt-A. PowerShell commands used to load tags are detected as Troj / PS-IM.
To learn more, read the SophosLabs Uncut ransomware article on Cring.
- Tactics, Techniques and Procedures (TTPs) and more for different types of threats are available at SophosLab uncut, which provides the latest threat intelligence from Sophos
- Information on attacker behavior, incident reports and tips for security operations professionals are available at Sophos SecOps news
- Learn more about Sophos’ Rapid Response service which contains, neutralizes and investigates attacks 24/7
- Top four tips for responding to a security incident from Sophos Rapid Response and the Managed Threat Response Team
- Read the latest security news and advisories on the award-winning Sophos Naked Security news site and on Sophos News
Sophos is a global leader in next-generation cybersecurity, protecting more than 500,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyber threats. Leveraging threat intelligence, AI and machine learning from SophosLabs and SophosAIs, Sophos offers a wide range of advanced products and services to secure users, networks and endpoints against ransomware, software malware, exploits, phishing, and the wide array of other cyberattacks. Sophos provides an integrated cloud-based management console, Sophos Central, the centerpiece of an adaptive cybersecurity ecosystem that includes a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers and other cybersecurity providers. Sophos sells its products and services through reseller partners and Managed Service Providers (MSPs) around the world. Sophos is headquartered in Oxford, UK. More information is available at www.sophos.com.
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/10049a91-a211-4a05-8eff-f556c790cca2