Fraud Management & Cybercrime , Ransomware

Play Ransomware Using MSPs and N-Days to Attack

Fortinet SSL VPN Vulnerability Is Among Top Most Common Vulnerabilities
Play Ransomware Using MSPs and N-Days to Attack

The Play ransomware group is targeting security managed service providers to gain initial access and using up to a half-decade-old vulnerabilities in security appliances, warn security researchers with Adlumin.

See Also: The Cost of Underpreparedness to Your Business

Attacking firms through their security vendor is a clever tactic, said Kevin O’Connor, director of threat research at Adlumin. It's hard for cyber defenders to even detect the attack "because it initially appears as legitimate administrative access and often gives attackers free reign over the target’s network and IT assets," he told Information Security Media Group.

The gang is also using intermittent encryption in a bid to avoid setting off defenses that look for whole file modifications, the security firm said in a Thursday blog post. The group's most recent campaign is targeting midsize financial, software, legal and logistics industries in the United States, Australia, United Kingdom and Italy, the blog post says.

The Play ransomware group is responsible for cyberattacks against the city of Oakland, an attack on the Judiciary of Córdoba in Argentina and on the German chain H-Hotels. TrendMicro said the group's activities are similar to those of ransomware groups Hive and Nokoyawa, suggesting a potential affiliation.

The group has also expanded its toolkit with new exploits such as ProxyNotShell, OWASSRF and a Microsoft Exchange Server remote code execution. In addition to using the remote desktop protocol servers as a vector for network infiltration, PlayCrypt also use FortiOS vulnerabilities tracked as CVE-2018-13379 and CVE-2020-12812.

Cybersecurity officials across the U.S. and its Five Eyes intelligence alliance earlier this month in a joint security advisory detailed the 12 most common vulnerabilities and exposures "exploited by malicious actors" in 2022 (see: Patching Conundrum: 5-Year-Old Flaw Again Tops Most-Hit List).

On the list is CVE-2018-13379, which is a path traversal flaw in the Fortinet SSL VPN. The researchers said it is an easy-to-exploit flaw discovered in July 2018, and it was patched by Fortinet in May 2019. Attackers continued to target and successfully exploit it, leading the NSA in 2019 to issue a public alert urging users to patch the vulnerability.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.