The Cring ransomware group is constantly making a name by attacking outdated Coldfusion servers and VPNs after surfacing earlier in 2021. According to experts, what makes cring different is, as of now, it appears in specific targeting of outdated vulnerabilities in their campaigns. In an earlier incident, Cring threat actors abused a two year old Fortigate VPN vulnerability exploit "end-of-life" or different incompatible devices, exposed to the web in the wild. Meanwhile Cring has threat actors using Mimikatz on devices to get credentials, and there's also proof that native windows process work blending in other authorotized activities.
ZDNet reports "positive Technologies head of malware detection Alexey Vishnyakov added that the group gets its primary consolidation through the exploitation of 1-day vulnerabilities in services at the perimeter of the organization like web servers, VPN solutions and more, either through buying access from intermediaries on shadow forums or other methods." It can often lead to more complex problems for network hunters and cybersecurity agents to find anything suspicious by the time it's already too late.
The current and earlier campaigns have shown continuous implementation and exploit of Cobalt Strike beacons used by several threat actors, mostly using it for post-exploit phase that is easier for hackers to operate. Sophos did a research in September emphasizing one particular case where Cring threat actors exploited an 11 year old Adobe Coldfusion 9 installation 9 to take remote command over Coldfusion server.
Sophos managed to link the group using Cring ransomware to threat actors in Belarus and Ukraine, these hackers used automated tools to hack into unnamed company servers in the service sector. "In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades," said Andrew Brandt, chief researcher at Sophos.