FOCUS MODE
EXTRACT IOC
Cyber Security News

CISA and FBI Warn of Global Threat from Ghost Ransomware

iocOne
CISA and FBI Warn of Global Threat from Ghost Ransomware
The “Ghost” ransomware group, also known by several names such as Cring and Crypt3r, has been disclosed by US authorities for compromising organizations worldwide, primarily using exploitation of known vulnerabilities and well-known malware tools. The group’s activities span over 70 countries, targeting various sectors including SMBs and critical infrastructure. Affected: organizations, SMBs, critical infrastructure, schools, universities, healthcare, government, religious institutions, technology, manufacturing

Keypoints :

  • The Ghost ransomware group operates from China, differing from most actors found in former Soviet states.
  • They compromise organizations in over 70 countries with financially motivated attacks.
  • Initial access is achieved through vulnerabilities in public-facing systems and servers.
  • Notable exploited vulnerabilities include those in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange.
  • Ghost actors deploy Cobalt Strike as their primary tool for various attack vectors.
  • The group often issues ransom notes claiming exfiltrated data will be sold if demands are not met.
  • Typically, they do not exfiltrate significant data that could cause major harm to victims.
  • Ghost actors show a preference for easier targets and often abandon attempts against hardened systems.
  • CISA recommends key mitigations such as regular backups, timely patches for known vulnerabilities, network segmentation, and the use of multi-factor authentication.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Ghost actors leverage Cobalt Strike for command and control communications.
  • T1083 – File and Directory Discovery: Used to identify which anti-malware systems are present on victim machines.
  • T1059.001 – Command and Scripting Interpreter: PowerShell is utilized for executing commands and downloading additional malware.
  • T1068 – Exploitation for Elevation of Privilege: Exploiting vulnerabilities in public-facing systems for initial access.
  • T1537 – Transfer Data to External Network: Sending ransom notes claiming data exfiltration, despite limited actual data theft.

Indicator of Compromise :

  • [Vulnerability] CVE-2018-13379
  • [Vulnerability] CVE-2010-2861
  • [Vulnerability] CVE-2009-3960
  • [Vulnerability] CVE-2021-34473
  • [Vulnerability] CVE-2021-34523
  • [Vulnerability] CVE-2021-31207

Full Story: https://www.infosecurity-magazine.com/news/cisa-fbi-warn-global-threat-ghost/

Views: 7

Tags: EXFILTRATION, PERSISTENCE, CREDENTIAL, PHISHING, TOOL, HEALTHCARE, EMAIL, WINDOWS