The Ghost ransomware group, also known as Cring, has been actively exploiting older, unpatched vulnerabilities to conduct global cyberattacks since 2021. This China-based threat group has targeted organizations across more than 70 countries, affecting sectors such as critical infrastructure, healthcare, education, government, manufacturing, technology, and religious institutions.
Exploited Vulnerabilities
Ghost actors primarily gain initial access by exploiting known vulnerabilities in internet-facing services running outdated software and firmware. Notable vulnerabilities include:
-
Fortinet FortiOS (CVE-2018-13379): A path traversal vulnerability in the FortiOS SSL VPN web portal, allowing unauthenticated attackers to download system files.
-
Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960): Directory traversal and authentication bypass vulnerabilities enabling arbitrary code execution.
-
Microsoft SharePoint (CVE-2019-0604): A remote code execution vulnerability that can be exploited via a specially crafted application package.
-
Microsoft Exchange (ProxyShell vulnerabilities - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207): A chain of vulnerabilities allowing attackers to perform unauthenticated, remote code execution.
Attack Techniques and Tools
After gaining initial access, Ghost actors employ various techniques to escalate privileges and move laterally within the network:
-
Web Shell Deployment: Uploading web shells to compromised servers to maintain access and execute commands.
-
Cobalt Strike Beacon: Using this tool for command and control operations, allowing remote execution of commands and lateral movement.
-
Open-Source Tools: Utilizing tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato for privilege escalation; Mimikatz for credential harvesting; and SharpShares, Ladon 911, and SharpNBTScan for network discovery.
Ransomware Deployment and Impact
Ghost actors typically move from initial access to ransomware deployment within a few days. Before encrypting data, they often disable security features such as Windows Defender, clear Windows Event logs, and delete volume shadow copies to hinder recovery efforts. The encrypted data is held for ransom, with demands ranging from tens to hundreds of thousands of dollars in cryptocurrency. While they threaten to sell stolen data if ransoms are unpaid, they rarely exfiltrate significant sensitive information.
Recommendations for Organizations
To defend against Ghost ransomware attacks, organizations should:
-
Maintain Regular Backups: Ensure critical data is backed up and stored securely, allowing restoration without paying a ransom.
-
Apply Security Patches Promptly: Regularly update software and firmware to address known vulnerabilities, especially those exploited by Ghost actors.
-
Implement Multi-Factor Authentication (MFA): Use phishing-resistant MFA for all accounts, particularly those with privileged access.
-
Monitor for Unauthorized Activity: Keep an eye out for unauthorized use of tools like PowerShell and unusual account activities.
-
Network Segmentation: Divide networks to restrict lateral movement and limit the impact of potential breaches.
By adopting these measures, organizations can enhance their resilience against Ghost ransomware and similar cyber threats.
