Cring ransomware operators mounted an attack against a target after hacking a server running an unpatched, 11-year old version of Adobe’s ColdFusion 9 software. Attackers breached the server in minutes and executed the ransomware 79 hours later.
Cybersecurity company Sophos published a research report describing the sophisticated attack by the Cring ransomware group against a service company that was using an old unpatched server to collect timesheet and accounting data for payroll and host several virtual machines.
The attackers began by scanning the target’s website using automated tools, and were able to break in within minutes once they identified that it was running an unpatched version of ColdFusion on the server.
Sophos found that following the initial breach, the attackers used fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by overwriting files with garbled data, or by deleting logs and other artifacts that threat hunters could use for an investigation. The attackers were also able to deactivatesecurity products because the tamper-protection functionality was switched off.
The attackers posted a ransom note which says they also exfiltrated data that is “ready to leak in case we can not make a good deal.”
“Devices running vulnerable, outdated software are low-hanging-fruit for cyber attackers looking for an easy way into a target,” Andrew Brandt, principal researcher at Sophos, stated in a press release.
According to him, Cring ransomware isn’t new, but it’s uncommon. In the incident the researchers observed, all it took to break in was one internet-facing machine running old, out-of-date, and unpatched software.
“The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades,” he said.
Regardless of the status – in use or inactive – unpatched internet-facing servers or other devices are prime targets for cyber attackers scanning a company’s attack surface for vulnerable entry points.
“This is a stark reminder that IT administrators benefit from having an accurate inventory of all their connected assets and cannot leave out-of-date critical business systems facing the public internet. If organizations have these devices anywhere on their network, they can be sure that cyber attackers will be attracted to them. Don’t make life easy for cybercriminals,” added Brandt.
More from CyberNews:
Subscribe to our newsletter