A recent advisory from the FBI and CISA highlights the ongoing threat posed by the Ghost (Cring) ransomware group, which continues to exploit unpatched vulnerabilities in outdated software. The group, primarily motivated by financial gain, targets organizations globally and utilizes established techniques from previous years. The report underscores the critical importance of maintaining cybersecurity hygiene and patching known vulnerabilities to protect against these persistent threats. Affected: organizations, financial sector, global industries
Keypoints :
- The Ghost (Cring) ransomware group exploits unpatched vulnerabilities, primarily for financial gain.
- The group has been active since early 2021, compromising organizations in over 70 countries.
- Old vulnerabilities, such as CVE-2018-13379 and CVE-2010-2861, are still actively targeted.
- The advisory includes specific IOCs and TTPs from recent investigations.
- Cobalt Strike and Mimikatz are frequently used tools by the ransomware actors for attacks.
- Good cybersecurity hygiene, including regular patching, is essential to prevent such attacks.
- Ghost actors shift to new targets when confronted with hardened security measures.
MITRE Techniques :
- T1499: Endpoint Denial of Service – Attackers disable Windows Defender on network-connected devices.
- T1021: Remote Services – Cobalt Strike is used for remote command execution and control.
- T1064: Scripting – Malicious PowerShell scripts are used to decrypt and execute payloads.
- T1059: Command and Scripting Interpreter – Windows Command Prompt and PowerShell are leveraged for execution of malware.
- T1071: Application Layer Protocol – Cobalt Strike commands facilitate command and control operations.
- T1070: Indicator Removal on Host – Attackers create and modify local accounts, changing passwords for entry persistence.
Indicator of Compromise :
- MD5: c5d712f82d5d37bb284acd4468ab3533 (Cring.exe)
- MD5: 34b3009590ec2d361f07cac320671410 (Ghost.exe)
- MD5: 29e44e8994197bdb0c2be6fc5dfc15c2 (ElysiumO.exe)
- MD5: ef6a213f59f3fbee2894bd6734bbaed2 (Locker.exe)
- MD5: ac58a214ce7deb3a578c10b97f93d9c3 (iex.txt)
Full Story: https://cyble.com/blog/fbi-cisa-shows-staying-power-of-old-vulnerabilities/