A joint advisory from the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued this week shows that old, unpatched vulnerabilities will remain targets as long as threat actors have a use for them.
The Ghost (Cring) ransomware group the agencies warned about is still using many of the same vulnerabilities and tools as they were when Cyble warned about the group in an advisory to clients in April 2021.
The agencies listed IOCs and TTPs identified in FBI investigations as recently as last month, providing a cautionary tale for organizations with old, unpatched vulnerabilities – and showing that it’s never too late to patch a vulnerability if it can still be exploited.
Old Vulnerabilities Continue to Reward Hackers
The CISA-FBI advisory noted that in early 2021, Ghost/Cring actors “began attacking victims whose internet-facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China.”
The group, operating out of China, is primarily after financial gain. Other names associated with the group include Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files from the group include Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
CISA and the FBI said the group obtains initial access to networks primarily via the following web-facing vulnerabilities:
- CVE-2018-13379 in Fortinet FortiOS appliances
- CVE-2010-2861 and CVE-2009-3960 in servers running Adobe ColdFusion
- CVE-2019-0604 in Microsoft SharePoint
- And the “ProxyShell” attack chain in Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Cyble’s 2021 advisory to clients noted, “The use of obsolete and vulnerable firmware versions on FortiGate VPN servers enabled attackers to launch attacks on industrial enterprises in European countries. Attackers exploited the high severity vulnerability, CVE-2018-13379, to gain access to enterprise networks and delivered Cring ransomware payload. Ransomware encrypted the servers, resulting in a temporary shutdown of the industrial process. The attackers’ success in exploiting the enterprise networks indicates that they had meticulously worked on the attack campaign to use their infrastructure and toolset in the campaign.
“Once the attackers gained access to the enterprise network, they downloaded the Mimikatz utility to steal the account credentials of the previously logged-in user,” the 2021 Cyble advisory said. “The attackers used Cobalt Strike Framework to distribute malware to other systems on the organization’s network. They uploaded the Cobalt Strike payload using a malicious PowerShell script that decrypted the payload after getting launched. The PowerShell payload enables remote control of the infected system.”
Those same TTPs appear to still be working for the group because the new CISA-FBI advisory included all of them.
Ghost Ransomware TTPs
The CISA-FBI advisory said the Ghost/Cring threat actors (TAs) “have been observed uploading a web shell to a compromised server and leveraging Windows Command Prompt and/or PowerShell to download and execute Cobalt Strike Beacon malware that is then implanted on victim systems.”
The TAs typically only spend a few days on victim networks, but they have been observed creating new local and domain accounts and changing passwords on existing accounts.
They often use Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user and elevate privileges.
They have used several open-source tools, including SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato, to attempt privilege escalation. They also use the Cobalt Strike function “hash dump” or Mimikatz to steal passwords and password hashes.
The Ghost/Cring actors frequently run a command to disable Windows Defender on network-connected devices. They have used Cobalt Strike commands for domain account discovery, open-source tools such as SharpShares for network share discovery, and Ladon 911 and SharpNBTScan for remote systems discovery. Cobalt Strike Beacon malware and Cobalt Strike Team Servers are used for command and control (C2) operations.
Patching, Cybersecurity Hygiene Remain Critical Practices
One interesting line in the CISA-FBI advisory underscores the fundamental importance of good cybersecurity hygiene: “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices,” the agencies said.
The advisory shows that fundamental security best practices like patching, network segmentation, endpoint hardening, protecting secrets and sensitive data, and network and endpoint monitoring remain the surest ways to keep your organization safe.
Ghost Ransomware Indicators of Compromise (IoCs)
Here are the file hashes included in the Indicators of Compromise (IoCs) in the FBI-CISA advisory:
| File name | MD5 File Hash |
| Cring.exe | c5d712f82d5d37bb284acd4468ab3533 |
| Ghost.exe | 34b3009590ec2d361f07cac320671410 |
| d9c019182d88290e5489cdf3b607f982 | |
| ElysiumO.exe | 29e44e8994197bdb0c2be6fc5dfc15c2 |
| c9e35b5c1dc8856da25965b385a26ec4 | |
| d1c5e7b8e937625891707f8b4b594314 | |
| Locker.exe | ef6a213f59f3fbee2894bd6734bbaed2 |
| iex.txt, pro.txt (IOX) | ac58a214ce7deb3a578c10b97f93d9c3 |
| x86.log (IOX) | c3b8f6d102393b4542e9f951c9435255 |
| 0a5c4ad3ec240fbfd00bdc1d36bd54eb | |
| sp.txt (IOX) | ff52fdf84448277b1bc121f592f753c5 |
| main.txt (IOX) | a2fd181f57548c215ac6891d000ec6b9 |
| isx.txt (IOX) | 625bd7275e1892eac50a22f8b4a6355d |
| sock.txt (IOX) | db38ef2e3d4d8cb785df48f458b35090 |
