January blog post. It takes hold of networks by exploiting long-patched vulnerabilities in VPNs sold by Fortinet. Tracked as CVE-2018-13379, the directory transversal vulnerability allows unauthenticated attackers to obtain a session file that contains the username and plaintext password for the VPN.
With an initial toehold, a live Cring operator performs reconnaissance and uses a customized version of the Mimikatz tool in an attempt to extract domain administrator credentials stored in server memory. Eventually, the attackers use the Cobalt Strike framework to install Cring. To mask the attack in progress, the hackers disguise the installation files as security software from Kaspersky Lab or other providers.
Read 9 remaining paragraphs | Comments