The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have reported that attackers deploying Ghost ransomware have breached victims across over 70 countries, including critical infrastructure organizations. Other affected industries include healthcare, government, education, technology, manufacturing, and numerous small and medium-sized businesses.
According to a joint advisory released on Wednesday, the attack began in early 2021, targeting networks with outdated software and firmware. The attackers, known by various names including Ghost, Cring, and Crypt3r, frequently rotate their malware executables and change file extensions of encrypted files to evade detection.
The ransomware group leverages publicly accessible code to exploit security flaws in vulnerable servers, particularly those left unpatched in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
To defend against Ghost ransomware attacks, network defenders are advised to take the following measures:
* Make regular backups that can’t be encrypted by ransomware
* Patch operating system, software, and firmware vulnerabilities as soon as possible
* Focus on security flaws targeted by Ghost ransomware (i.e., CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
* Segment networks to limit lateral movement from infected devices
* Enforce phishing-resistant multi-factor authentication (MFA) for all privileged accounts and email services accounts
The attack has also been linked to state-backed hacking groups targeting vulnerable Fortinet SSL VPN appliances. The FBI warned customers about the CVE-2018-13379 vulnerability multiple times in 2019, 2020, and 2021.
Source: https://www.bleepingcomputer.com/news/security/cisa-and-fbi-ghost-ransomware-breached-orgs-in-70-countries