How a VPN vulnerability allowed ransomware to disrupt two manufacturing plants

How a VPN vulnerability allowed ransomware to disrupt two manufacturing plants

Enlarge (credit: Getty Images)

January blog post. It takes hold of networks by exploiting long-patched vulnerabilities in VPNs sold by Fortinet. Tracked as CVE-2018-13379, the directory transversal vulnerability allows unauthenticated attackers to obtain a session file that contains the username and plaintext password for the VPN.

With an initial toehold, a live Cring operator performs reconnaissance and uses a customized version of the Mimikatz tool in an attempt to extract domain administrator credentials stored in server memory. Eventually, the attackers use the Cobalt Strike framework to install Cring. To mask the attack in progress, the hackers disguise the installation files as security software from Kaspersky Lab or other providers.

Read 9 remaining paragraphs | Comments

Discover more from WHO WILL CARE eCommerce

Subscribe now to keep reading and get access to the full archive.

Continue reading