Following its emergence this year, the Cring ransomware threat group remained active in the cybercrime landscape by attacking old ColdFusion servers and VPNs. As per security experts, a unique quality of their ransomware attack involves their specialisation in using old vulnerabilities for their exploit activities.
Furthermore, analysts said that Cring ransomware’s exploitation of old VPN and server vulnerabilities must be a wake-up call for system owners that still utilise outdated and unsupported systems that can expose them to cyber-attacks.
Aside from using Mimikatz to steal victim credentials, the operators of Cring ransomware were also found to be using an old Windows process that can blend into an otherwise legal cyber activity. Network security analysts may find this movement tricky since they would not easily find any malicious activity until it has happened.
In September, a report was published where Cring threat actors have exploited a vulnerability to an Adobe ColdFusion 9 software to control a ColdFusion server via remote access. Analysts have identified the connection of Cring ransomware threat actors to the hackers located in Ukraine and Belarus.
These hackers are using automated tools to intrude servers of an unknown firm in the services industry. Hackers utilise the automated tools to browse on 9,000 pathways to intrude the target victim’s systems in about 75 seconds. After a few minutes, a vulnerability was found and exploited from an outdated Adobe software that enabled them to steal data from the exposed personal servers.
According to security analysts, the Cring ransomware is an uncommon attack mode despite emerging some time ago. Moreover, they have warned companies not to let their system be unpatched and out-of-date because it can open vulnerable entry points for threat actors.
The ransomware attack is performed via automated tools that scan the victim’s website and allow access after discovering an unpatched ColdFusion on its server.
Furthermore, Cring threat actors have been using sophisticated techniques in concealing files, injecting code into memory, and hiding their footprints by overwriting files with distorted data or erasing log records and other evidence that can be used against them by security investigators. The ransomware operators are also actively inspecting inside a network before infecting it with a ransomware strain. The usual targets of these attacks are the infrastructures of industrial companies, aiming to disrupt their production lifecycle and inflict financial loss.
