InfoSecBulletin Cybersecurity for mankind
The FBI and CISA reported on Wednesday that the ransomware group Ghost has been exploiting software and firmware vulnerabilities as recently as January.
The group targets internet services with old, unpatched vulnerabilities that users could have addressed years ago. Cybersecurity researchers began alerting the public about the group in 2021.
OpenAI Offering $100K Bounties for Critical Vulns
Splunk Alert User RCE and Data Leak Vulns
CIRT alert Situational Awareness for Eid Holidays
Cyberattack on Malaysian airports: PM rejected $10 million ransom
Micropatches released for Windows zero-day leaking NTLM hashes
VMware Patches Authentication Bypass Flaw in Windows Tool
IngressNightmare
Over 40% of cloud environments are vulnerable to RCE
(CVE-2025-29927)
Urgently Patch Your Next.js for Authorization Bypass
Oracle refutes breach after hacker claims 6 million data theft
Russian zero-day seller to offer up to $4 million for Telegram exploits
“This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China,” says the alert, released with the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Vulnerabilities include unpatched bugs in Fortinet security appliances, servers using Adobe ColdFusion, and Microsoft Exchange servers vulnerable to the ProxyShell attack.
Since 2021, various sectors, including critical infrastructure, schools, healthcare, government networks, religious institutions, tech companies, and many small to medium businesses, have been targeted. The main aim is financial gain, with ransom demands often exceeding hundreds of thousands of dollars.
“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” the agencies say. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.”
The group uses well-known hacking tools like Cobalt Strike and Mimikatz, and the malware they deploy often has names like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, according to the alert.
“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the agencies say. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.”
