Cring Ransomware Fortinet Attack Threat Intel Advisory

###### Advisory Type Adversary Intelligence
###### Malware Name Cring, Crypt3r, Vjiszy1lo, Ghost, Phantom
###### Malware Type Ransomware
###### Tools Used MimiKatz, CobaltStrike
###### Target Platform Fortinet VPN devices
###### Affected Industries Industrial Sectors

Executive Summary

Threat operators of Cring ransomware have been targeting multiple organizations in the industrial sector, by exploiting vulnerable FortiGate Severs. The vulnerability, dubbed CVE-2018-13379, is a path traversal flaw in the FortiOS SSL VPN portals, that allows attackers to obtain domain administrator credentials with the help of Mimikatz malware. It steals information from Windows users connected to the infected device, and then deploys the CobaltStrike beacon to download and execute Cring ransomware.

Technical Details

  • Once the attackers were able to detect servers that were affected by CVE-2018-13379, they located the sslvpn_websession file and used it to obtain login credentials in cleartext.
  • Attackers used Mimikatz to steal the credentials of other Windows users that had connected to the infected device at some point in the past, and found the domain administrator credentials.
  • Then, they deployed a malicious PowerShell to decrypt and execute CobaltStrike beacon so as to control the infected systems remotely.
  • The attackers continued to download and execute a malicious CMD script that launched another malicious PowerShell command which, in turn, downloaded and executed the Cring ransomware.

Targeted CVEs:

  • CVE-2018-13379
    • FortiOS versions 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 are vulnerable to this flaw.
  • CVE-2020-12812
  • CVE-2019-5591


Technical Impact
  • Exploiting the CVEs in the FortiOS SSL VPN portals targeted by threat actors allow them to download and execute other variants of malware furthering other forms of attacks on the infected system.
  • It could also gain control of the infected system to act as a Bot and launch more attacks.
Business Impact
  • This ransomware attack could cause businesses to shut down.
  • It could also affect the reputation of the victim company.
  • The attackers gain full access to infected systems which may contain the sensitive information of individuals and organizations alike, leading to the violation of their privacy.

Mitigation Measures

  • Get the latest updates and patches for the software in use.
  • Use up-to-date AV, prevention and detection endpoints.
  • Maintain cyber hygiene and awareness.
  • Always encrypt passwords before storing them in databases.
  • Use 2FA for all login sessions.


1 Like