Threat actors are actively exploiting the CVE-2018-13379 path traversal vulnerability in Fortinet VPNs to deploy a new piece of ransomware, tracked as Cring ransomware to organizations in the industrial sector.

The Cring ransomware encrypts data from victims with AES-256 + RSA-8192 and then demands a ~ 2 BTC ransom to get the files back.

Victims of these attacks include industrial enterprises in European countries. At least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.

Once gained access to a system within the target network, the attackers downloaded the Mimikatz utility to steal the credentials of Windows users who logged in to the compromised system.

Upon compromising the domain administrator account, threat actors could distributee malware to other systems on the same network. Attackers also used the Cobalt Strike post-exploitation framework to deploy the ransomware.

Ion another instance the ransomware infection of servers used to control the industrial process caused a temporary shutdown of the process.

The primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server, which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network

DAT file updates with latest signature lacking, Disabled Anti virus components and Active directory Privilege escalation seems to be the reasons

The threat actors are actively exploiting the following vulnerabilities in Fortinet FortiOS:

CVE-2018-13379
CVE-2020-12812
CVE-2019-5591