OXFORD, U.K. — 九月 21, 2021 —

Sophos, a global leader in next-generation cybersecurity, has published research, “Cring Ransomware Exploits Ancient ColdFusion Server,” describing a sophisticated attack the Cring ransomware operators mounted against a target after hacking a server running an unpatched, 11-year-old version of Adobe's ColdFusion 9 software. The target used the server to collect timesheet and accounting data for payroll and to host multiple virtual machines. The attackers breached the internet-facing server in minutes and executed the ransomware 79 hours later.

“Devices running vulnerable, outdated software are low-hanging-fruit for cyberattackers looking for an easy way into a target,” said Andrew Brandt, principal researcher at Sophos. “Cring ransomware isn’t new, but it’s uncommon. In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades.

“But, regardless of what the status is – in use or inactive – unpatched internet-facing servers or other devices are prime targets for cyberattackers scanning a company’s attack surface for vulnerable entry points. This is a stark reminder that IT administrators benefit from having an accurate inventory of all their connected assets and cannot leave out-of-date critical business systems facing the public internet. If organizations have these devices anywhere on their network, they can be sure that cyberattackers will be attracted to them. Don’t make life easy for cybercriminals.”

Sophos’ analysis shows that the attackers began by scanning the target’s website using automated tools and were able to break in within minutes once they identified that it was running the unpatched ColdFusion on a server.

Sophos found that following the initial breach, the attackers used fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by over-writing files with garbled data or deleting logs and other artifacts that threat hunters could use in an investigation. The attackers were also able to disable security products because the tamper-protection functionality was switched off.

The attackers posted a ransom note that says they also exfiltrated data that is “ready to leak in case we can not make a good deal.”

Cring Ransomnote



Sophos recommends the following best practices to help defend against Cring and other types of ransomware and related cyberattacks:

At a strategic level:

  • Deploy layered protection. As more ransomware attacks begin to involve extortion, backups remain necessary, but insufficient. It is more important than ever to keep adversaries out in the first place, or to detect them quickly, before they cause harm. Use layered protection to block and detect attackers at as many points as possible across an estate
  • Combine human experts and anti-ransomware technology. The key to stopping ransomware is defense-in-depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation an organization needs, while human experts are best able to detect the tell-tale tactics, techniques and procedures that indicate an attacker is attempting to get into the environment. If organizations don’t have the skills in house, they can enlist support from cybersecurity specialists

At a day-to-day tactical level:

  • Monitor and respond to alerts. Ensure the appropriate tools, processes, and resources (people) are available to monitor, investigate and respond to threats seen in the environment. Ransomware attackers often time their strike during off-peak hours, at weekends or during the holidays, on the assumption that few or no staff are watching
  • Set and enforce strong passwords. Strong passwords serve as one of the first lines of defense. Passwords should be unique or complex and never re-used. This is easier to accomplish with a password manager that can store staff credentials
  • Use Multi Factor Authentication (MFA). Even strong passwords can be compromised. Any form of multifactor authentication is better than none for securing access to critical resources such as e-mail, remote management tools and network assets
  • Lock down accessible services. Perform network scans from the outside and identify and lock down the ports commonly used by VNC, RDP, or other remote access tools. If a machine needs to be reachable using a remote management tool, put that tool behind a VPN or zero-trust network access solution that uses MFA as part of its login
  • Practice segmentation and zero-trust. Separate critical servers from each other and from workstations by putting them into separate VLANs as you work towards a zero-trust network model
  • Make offline backups of information and applications. Keep backups up to date, ensure their recoverability and keep a copy offline
  • Inventory your assets and accounts. Unknown, unprotected and unpatched devices in the network increase risk and create a situation where malicious activities could pass unnoticed. It is vital to have a current inventory of all connected compute instances. Use network scans, IaaS tools, and physical checks to locate and catalog them, and install endpoint protection software on any machines that lack protection
  • Make sure security products are correctly configured. Under-protected systems and devices are vulnerable too. It is important that you ensure security solutions are configured properly and to check and, where necessary, validate and update security policies regularly. New security features are not always enabled automatically. Don’t disable tamper protection or create broad detection exclusions as doing so will make an attacker’s job easier
  • Audit Active Directory (AD). Conduct regular audits on all accounts in AD, ensuring that none have more access than is needed for their purpose. Disable accounts for departing employees as soon as they leave the company
  • Patch everything. Keep Windows and other operating systems and software up to date. This also means double checking that patches have been installed correctly and are in place for critical systems like internet-facing machines or domain controllers. In the incident reported here, support for the server’s Adobe ColdFusion 9 software as well as the underpinning Windows 2008 operating system had been stopped by their respective vendors, which means they were no longer receiving software updates

Sophos endpoint products detect the Cring ransomware executable as Troj/Ransom-GKG and the Cobalt Strike beacons as AMSI/Cobalt-A. The PowerShell commands used to load the beacons are detected as Troj/PS-IM.

To learn more, please read the Cring ransomware article on SophosLabs Uncut.

关于 Sophos

Sophos 是全球领先的先进安全解决方案提供商和创新者,全面安全解决方案涵盖托管式侦测与响应 (MDR) 和事件响应服务,以及广泛的端点、网络、电子邮件和云安全技术。作为最大的纯网络安全厂商之一,Sophos 为全球超过 600,000 家企业和超过 1 亿用户提供防御主动攻击对手、勒索软件、网络钓鱼、恶意软件等威胁的保护。Sophos 的服务和产品通过 Sophos Central 管理控制台连接,并得到公司内部的跨领域威胁情报部门 Sophos X-Ops 的支持。Sophos X-Ops 情报优化整个 Sophos Adaptive Cybersecurity Ecosystem 自适应网络安全生态体系,包括一个中央数据湖,为客户、合作伙伴、开发人员和其他网络安全与信息技术供应商提供一组丰富的开放 API。Sophos为需要完全托管的安全解决方案的组织提供网络安全即服务。客户还可以直接利用 Sophos 的安全运行平台管理其网络安全,或者采用混合方法,为内部团队补充 Sophos 服务(包括威胁追踪与修复)。Sophos 通过世界各地的经销商合作伙伴和托管服务供应商 (MSP) 销售。Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.com