How a VPN vulnerability allowed ransomware to disrupt two manufacturing plants
TEMPORARILY CLOSED —
Patching in industrial settings is hard. Ransomware shutting down production is harder.
Ransomware operators shut down two production facilities belonging to a European manufacturer after deploying a relatively new strain that encrypted servers that control a manufacturer’s industrial processes, a researcher from Kaspersky Lab said on Wednesday.
The ransomware, known as Cring, came to public attention in a January blog post. It takes hold of networks by exploiting long-patched vulnerabilities in VPNs sold by Fortinet. Tracked as CVE-2018-13379, the directory transversal vulnerability allows unauthenticated attackers to obtain a session file that contains the username and plaintext password for the VPN.
With an initial toehold, a live Cring operator performs reconnaissance and uses a customized version of the Mimikatz tool in an attempt to extract domain administrator credentials stored in server memory. Eventually, the attackers use the Cobalt Strike framework to install Cring. To mask the attack in progress, the hackers disguise the installation files as security software from Kaspersky Lab or other providers.
Once installed, the ransomware locks up data using 256-bit AES encryption and encrypts the key using an RSA-8192 public key hardcoded into the ransomware. A note left behind demands two bitcoins in exchange for the AES key that will unlock the data.
More bang for the buck
In the first quarter of this year, Cring infected an unnamed manufacturer in Germany, Vyacheslav Kopeytsev, a member of Kaspersky Lab’s ICS CERT team said in an email. The infection spread to a server hosting databases that were required for the manufacturer’s production line. As a result, processes were temporarily shut down inside two Italy-based facilities operated by the manufacturer. Kaspersky Lab believes the shutdowns lasted two days.
“Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the attacked organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,” Kopeytsev wrote in a blog post. He went on to say, “An analysis of the attackers’ activity demonstrates that, based on the results of reconnaissance performed on the attacked organization’s network, they chose to encrypt those servers the loss of which the attackers believed would cause the greatest damage to the enterprise’s operations.”
Incident responders eventually restored most but not all of the encrypted data from backups. The victim didn’t pay any ransom. There are no reports of the infections causing harm or unsafe conditions.
Sage advice not heeded
In 2019, researchers observed hackers actively trying to exploit the critical FortiGate VPN vulnerability. Roughly 480,000 devices were connected to the Internet at the time. Last week, the FBI and Cybersecurity and Infrastructure Security agency said CVE-2018-13379 was one of several FortiGate VPN vulnerabilities that were likely under active exploit for use in future attacks.
Fortinet in November said that it detected a “large number” of VPN devices that remained unpatched against CVE-2018-13379. The advisory also said that company officials were aware of reports that the IP addresses of those systems were being sold in underground criminal forums or that people were performing Internet-wide scans to find unpatched systems themselves.
In a statement issued Thursday, Fortinet officials wrote:
The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers as recently as April 2021. To get more information, please visit our blog and immediately refer to the May 2019 advisory. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.
Besides failing to install updates, Kopeytsev said the Germany-based manufacturer also neglected to install antivirus updates and to restrict access to sensitive systems to only select employees.
It’s not the first time a manufacturing process has been disrupted by malware. In 2019 and again last year Honda halted manufacturing after being infected by the WannaCry ransomware and an unknown piece of malware. One of the world’s biggest producers of aluminum, Norsk Hydro of Norway, was hit by a ransomware attack in 2019 that shut down its worldwide network, stopped or disrupted plants, and sent IT workers scrambling to return operations to normal.
Patching and reconfiguring devices in industrial settings can be especially costly and difficult because many of them require constant operation to maintain profitability and to stay on schedule. Shutting down an assembly line to install and test a security update or to make changes to a network can lead to real-world expenses that are nontrivial. Of course, having ransomware operators shut down an industrial process on their own is an even more dire scenario.
Post updated to add statement from Fortinet.