Companies are advised to constantly update their apps and software, and patch known network vulnerabilities to prevent such attacks.
A ransomware group called “Ghost” is exploiting the network vulnerabilities of various organizations to gain access to their systems, according to a joint advisory issued by multiple U.S. federal agencies.
“Beginning early 2021, Ghost actors began attacking victims whose internet-facing services ran outdated versions of software and firmware,” the Cybersecurity and Infrastructure Security Agency (CISA) said in the Feb. 19 joint advisory. “Ghost actors, located in China, conduct these widespread attacks for financial gain.”
The attacks have targeted schools and universities, government networks, critical infrastructure, technology and manufacturing companies, health care, and several small and mid-sized businesses.
“This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China,” CISA, the FBI, and the Multi-State Information Sharing and Analysis Center said in the advisory.
Ghost actors are also associated with other names such as Cring, Crypt3r, HsHarada, Hello, Wickrme, Phantom, Rapture, and Strike.
The criminals use publicly available code to exploit “common vulnerabilities and exposures” of their targets to secure access to servers. They leverage vulnerabilities in servers running Adobe ColdFusion, Microsoft Exchange, and Microsoft SharePoint.
Threat actors use tools to “collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices,” the warning read. Attackers typically only spend a few days on their target’s networks.
The advisory recommended organizations patch known network vulnerabilities by applying “timely security updates” to firmware, software, and operating systems.
Organizations must train users to recognize phishing attempts, it said. Entities should identify, investigate, and issue alerts regarding any “abnormal network activity.”
“Maintain regular system backups that are known-good and stored offline or are segmented from source systems,” the advisory added.
“Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to restore operations without needing to contact Ghost actors or pay a ransom.”The advisory was issued as part of an ongoing effort to counter ransomware threats.
CISA has previously warned about Chinese cyber threats facing the United States. Chinese state-sponsored cyber actors are looking to pre-position themselves on IT networks to carry out “disruptive or destructive cyberattacks” against critical American infrastructure in case Beijing engages in a conflict with Washington, the agency says.
Volt Typhoon, a Beijing-sponsored cyber actor, has compromised the IT environments of several critical infrastructure organizations in sectors such as energy, transportation, communications, and water systems.
In November, CISA and the FBI detailed a “broad and significant cyber espionage” campaign conducted by Chinese hackers that compromised the networks of U.S. telecommunication providers.
Hackers stole customer call records and private communications from “a limited number of individuals who are primarily involved in government or political activity.”
Rep. Mark Green (R-Tenn.), chairman of the House Committee on Homeland Security, said “the Chinese Communist Party’s exploitation of vulnerabilities in major internet service providers is just the newest alarm to sound as Beijing, Tehran, and Moscow work to gain strategic advantages through cyber espionage, manipulation, and destruction.”