Security of critical infrastructures, Cybercrime, Cybercrime as-a-service
Cring Ransomware Unleashed After Attackers Exploited Unpatched Flaw From 2009
Mathew J. Schwartz (euroinfosec) â¢
September 27, 2021
To fight ransomware, experts advise security teams to stay on top of how attackers hacked their latest victims. In particular, they need to learn from attacks that target other organizations in their industry and apply that knowledge to ensure they have the right defenses to avoid becoming an attacker’s next victim.
At the same time, they also need a decent level of basic preparation. For example, see how a tech services company recently saw its systems crypto-locked with ransomware.
“The incident is a stark reminder that IT administrators cannot leave mission-critical business systems obsolete in the face of the public Internet.”
How did the attackers break in? Called in to investigate, the security company Sophos discovered that attackers had exploited two publicly known flaws – CVE-2010-2861 and then CVE-2009-3960 – in the installation of Adobe ColdFusion 9, which is no longer – Supported web application development platform.
The first flaw is a directory transversal vulnerability, while the second allows XML injection. The open source penetration testing framework Metasploit added exploits for the first in 2011 and the last in 2010, meaning that exploiting these flaws would have been easy for an attacker with even average skills. Likewise, the flaws would in theory have been easy to spot by a penetration testing team, had the victim hired one and then acted on their findings.
âThe server running ColdFusion was running the Windows Server 2008 operating system, which Microsoft terminated in January 2020,â reports Andrew Brandt, senior researcher at Sophos. “Adobe declared ColdFusion 9 end of life in 2016. As a result, neither the operating system nor the ColdFusion software could be patched.”
It is not clear whether attackers went looking for organizations running exploitable ColdFusion software – as in anyone still running ColdFusion – is unclear. “We cannot speculate on the intentions of the attackers, but since their analysis included many paths for other software, we assume that the discovery of the ColdFusion server was incidental to the analyzes performed, although we cannot be certain,” Brandt told me.
“The exploit for this particular vulnerability is a Metasploit module, and attackers may have used this module, or a similar module, to perform the heist,” he says. “The incident is a stark reminder that IT administrators cannot leave mission-critical business systems obsolete in the face of the public Internet.”
Cring: one of many ransomware operations
If Cring doesn’t tell you anything, it’s because, among the dozens of active ransomware groups, he is not well known.
The Sophos Rapid Response team investigated a Cring ransomware incident, and the only other investigation known to us was reported earlier this year by Kaspersky and involved a completely different method of intrusion, with one common element being that attackers targeted vulnerable and very outdated Internet software every time, âsays Brandt.
In April, Kaspersky reported that “in early 2021, malicious actors carried out a series of attacks on industrial companies in Europe.”
Called in to investigate the outbreak at one of these companies, he discovered that attackers had exploited a credential disclosure vulnerability – CVE-2018-13379 – in FortiOS to exploit the company’s Fortigate VPN. organization. The vulnerability was revealed in 2019 and was quickly patched. Again, there is a free Metasploit exploit for the flaw.
For years, law enforcement officials and security experts have urged companies to be better prepared and put in place good defenses to reduce the risk they consider paying a ransom to get their data back.
However, too many organizations still fail to do the basics, including:
- Use multi-factor authentication whenever possible;
- Locking out remote access, especially for administrator accounts;
- Network segmentation to mitigate the impact of an attacker accessing one system and passing through others;
- Know all the software used and make sure they stay up to date;
- Installation of the latest security patches.
While it might sound basic, these were among the recommendations detailed in a joint cybersecurity advisory released by the U.S. government on Wednesday, specifically to tackle a recent increase in the rate of attacks related to Conti ransomware.
But the advice applies to defense against any type of online attack. Additionally, the fact that the U.S. Agency for Cyber ââand Infrastructure Security, the FBI, and the National Security Agency see the need to remind organizations that unless they’re doing the basics, they’ll be ducks sitting down for the sake of it. ransomware proves that too many continue to fail. heed these tips.
Cybercrime remains a business
Attackers using ransomware want to hit as many victims as possible, in the least amount of time, with the minimum amount of effort, and with the maximum chance of reward. Not having the proper security defenses in place only plays a role in the strategy of criminals.
But as Europol’s Philipp Amann, head of strategy at its European Cybercrime Center, said in an interview earlier this year, even small security improvements can make a big difference. Attackers using Emotet malware, for example, would often cultivate lists of potential victims and then try to forcefully force their administrator passwords.
If, however, they found out that potential victims had two-factor authentication or other “technical measures that made it more difficult to succeed, they would move on to other victims,” ââhe told me.
Specifically, when it comes to ransomware, these kinds of minimal security defenses, including a well-tested backup and restore strategy, with backups stored offline, can be the difference between being a victim and having an attacker look elsewhere. The likes of a ColdFusion installation that’s a decade behind, however, really isn’t going to cut it.