Play Ransomware Using MSPs and N-Days to AttackFortinet SSL VPN Vulnerability Is Among Top Most Common Vulnerabilities
The Play ransomware group is targeting security managed service providers to gain initial access and using up to a half-decade-old vulnerabilities in security appliances, warn security researchers with Adlumin.
Attacking firms through their security vendor is a clever tactic, said Kevin O’Connor, director of threat research at Adlumin. It's hard for cyber defenders to even detect the attack "because it initially appears as legitimate administrative access and often gives attackers free reign over the target’s network and IT assets," he told Information Security Media Group.
The gang is also using intermittent encryption in a bid to avoid setting off defenses that look for whole file modifications, the security firm said in a Thursday blog post. The group's most recent campaign is targeting midsize financial, software, legal and logistics industries in the United States, Australia, United Kingdom and Italy, the blog post says.
The Play ransomware group is responsible for cyberattacks against the city of Oakland, an attack on the Judiciary of Córdoba in Argentina and on the German chain H-Hotels. TrendMicro said the group's activities are similar to those of ransomware groups Hive and Nokoyawa, suggesting a potential affiliation.
The group has also expanded its toolkit with new exploits such as ProxyNotShell, OWASSRF and a Microsoft Exchange Server remote code execution. In addition to using the remote desktop protocol servers as a vector for network infiltration, PlayCrypt also use FortiOS vulnerabilities tracked as CVE-2018-13379 and CVE-2020-12812.
Cybersecurity officials across the U.S. and its Five Eyes intelligence alliance earlier this month in a joint security advisory detailed the 12 most common vulnerabilities and exposures "exploited by malicious actors" in 2022 (see: Patching Conundrum: 5-Year-Old Flaw Again Tops Most-Hit List).
On the list is CVE-2018-13379, which is a path traversal flaw in the Fortinet SSL VPN. The researchers said it is an easy-to-exploit flaw discovered in July 2018, and it was patched by Fortinet in May 2019. Attackers continued to target and successfully exploit it, leading the NSA in 2019 to issue a public alert urging users to patch the vulnerability.