allowed vulnerability

How a VPN vulnerability Enabled ransomware to Interrupt two manufacturing plants

TEMPORARILY CLOSED — Patching in industrial settings is hard. Ransomware shutting down production is harder. Dan Goodin – Apr 7, 2021 10:15 pm UTC Getty ImagesRansomware operators shut down two production facilities belonging to a European manufacturer after deploying a relatively new strain that encrypted servers that control manufacturer’s industrial processes, a researcher from Kaspersky…


Patching in industrial configurations is hard. Ransomware shutting down generation is tougher.

How a VPN vulnerability allowed ransomware to disrupt two manufacturing plants

Getty Images

Ransomware operators shut down two production centers belonging to some European manufacturer following deploying a relatively new strain that encrypted servers that control manufacturer’s industrial processes, a researcher from Kaspersky Lab said on Wednesday.

The ransomware known as Cring came to general attention at a January blog article . It takes hold of programs by harnessing long-patched vulnerabilities from VPNs offered by Fortinet. Tracked as CVE-2018-13379, the directory transversal vulnerability allows unauthenticated attackers to obtain a session file which comprises the username and plaintext password for the VPN.

With an initial toehold, a dwell Cring operator performs reconnaissance and uses an customized version of this Mimikatz tool in an attempt to extract domain credentials stored in host memory. Eventually, the attackers utilize the Cobalt Strike frame to install Cring. To hide the attack in advance, the hackers disguise the setup files as security software from Kaspersky Lab or alternative providers.

Once installed, the ransomware locks up information with 256-bit AES encryption and encrypts the key using an RSA-8192 public key hardcoded into the ransomware. A note left behind demands two bitcoins in market for the AES key which will unlock the data.

More bang for the dollar

In the first quarter of the year, Cring infected an undercover manufacturer in Germany, Vyacheslav Kopeytsev, a member of Kaspersky Lab’s ICS CERT team stated in an email. The infection spread to a server hosting databases which were needed for the manufacturer’s production line. Because of this, processes were temporarily shut down inside two Italy-based centers operated by the manufacturer. Kaspersky Lab considers the shutdowns lasted two weeks.

“Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the attacked organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,” Kopeytsev wrote in a blog article . He went on to say”An analysis of the attackers’ activity demonstrates , based on the results of reconnaissance performed on the attacked organization’s network, they opted to encrypt those servers the loss of which the attackers believed would lead to the greatest damage to the enterprise’s operations.”

Incident responders eventually restored most but not all of the encrypted data from backups. The victim didn’t pay any ransom. There are no reports of the infections causing harm or unsafe conditions.

Sage advice not heeded

In 2019, researchers observed hackers actively trying to exploit the critical FortiGate VPN vulnerability. Roughly 480,000 devices were connected to the Internet at the time. Last week, the FBI and Cybersecurity and Infrastructure Security agency said the CVE-2018-13379 was one of several FortiGate VPN vulnerabilities that were likely under active exploit for use in future attacks.

Fortinet in November said that it detected a”large number” of VPN devices that stayed unpatched from CVE-2018-13379. The advisory also said that company officials were aware of reports that the IP addresses of those systems were being marketed in underground criminal forums or people were doing Internet-wide scans to discover unpatched systems .

Besides failing to install upgrades, Kopeytsev said Germany-based manufacturer also neglected to install antivirus updates and to restrict access to sensitive programs to only select workers.

It’s not the first time a manufacturing process has been disrupted by malware. In 2019 and again last year Honda stopped manufacturing following being infected by the WannaCry ransomware along with also an unidentified bit of malware. Among the world’s biggest producers of aluminum, Norsk Hydro of Norway, was hit by ransomware attack in 2019 that closed down its worldwide network, stopped or upset crops, also shipped IT workers scrambling to return operations to normal.

Patching and reconfiguring devices in industrial settings can be particularly expensive and difficult because lots of them require constant operation to keep profitability and to keep on schedule. Slimming down an assembly line to install and test a security upgrade or to make changes to a community may result in real estate expenses that are nontrivial. Obviously, having ransomware operators closed down an industrial process on their own is an even more dire scenario.

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *