Ghost ransomware actors compromised victims in more than 70 countries

The federal government has warned security teams to patch exploited vulnerabilities and segment networks in the wake of Ghost ransomware threat actors compromising organizations in more than 70 countries.A joint advisory Feb. 19 by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said that beginning in early 2021, the Ghost actors began attacking victims whose internet-facing services ran outdated versions of software and firmware.Based in China, the Ghost actors conducted these widespread attacks mainly for financial gain, said the FBI and CISA. Targeted victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small businesses.According to the FBI and CISA, the Ghost actors leveraged vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379); servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960); Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.Samples of ransomware files Ghost used during attacks include: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.Billy Hoffman, Field CTO at IONIX, said he thought the group’s use of the 15-year-old ColdFusion CVEs was interesting.“Most organizations have a limited number of Microsoft Exchange and Fortinet servers, which IT teams typically track and patch quickly,” said Hoffman. “That’s why attackers are now finding more success exploiting only recent CVEs against those systems.”

Hoffman pointed out that a typical Fortune 1000 company has at least 100 times more web applications — many of which are one-off business apps quickly written using platforms like ColdFusion, since it was a popular and easy-to-use web framework. These apps tend to slip through the cracks, remain unpatched, and ultimately become an entry point for attackers, Hoffman added.

Darren Guccione, co-founder and CEO at Keeper Security, said the Ghost ransomware campaign highlights the persistent reality that adversaries exploit known vulnerabilities faster than many organizations can patch them, which reinforces the critical need for proactive risk management — security leaders must ensure that software, firmware and identity systems are continuously updated and hardened against exploitation.“This is a global-scale threat, affecting critical infrastructure, healthcare, government and SMBs alike,” said Guccione. “Security leaders must act decisively to reduce their attack surface, invest in zero-trust architectures and deploy robust endpoint and identity security controls to mitigate ransomware risks before they escalate into business-disrupting incidents.”Jim Walter, senior threat researcher at SentinelOne, said the FBI-CISA advisory highlights an ongoing trend in the world of ransomware-extortion actors. Walter said these financially motivated groups are widely scattered, and use whatever functional tools are available to accomplish their profit goals.“None of the TTPs leveraged by Ghost are novel, but their methods are effective,” said Walter. “They use and exploit what works and leads to profit, and as long as new flaws continue to be discovered in these edge devices-appliances and IAM platforms, this type of activity will continue. Prevention is critical and key here. Following CISA’s guidance on backups/BCP/DRP, patching, segmentation and education go a long way to limiting the effect of these attacks.”