InfoSecBulletin Cybersecurity for mankind
The FBI and CISA reported on Wednesday that the ransomware group Ghost has been exploiting software and firmware vulnerabilities as recently as January.
The group targets internet services with old, unpatched vulnerabilities that users could have addressed years ago. Cybersecurity researchers began alerting the public about the group in 2021.
NVIDIA Releases Security Update For GPU Driver Vulnerabilities
‘SessionShark’ ToolKit Bypasses Microsoft Office 365 MFA
159 CVEs Exploited in Q1 2025 : 28.3% Within 24 Hours of Disclosure
NVIDIA NeMo Framework Vuln Allow Attackers RCE
Cisco Issued Urgent Security Advisories For Multiple Products
SonicWall patched SSLVPN Vuln Allowing Firewall Crashing
GitLab Releases Security Update For Multiple Vulns
ISPAB president “whatsapp” got hacked via phishing link
Zyxel released patches 2 vulns in its USG FLEX H series firewalls
South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked
“This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China,” says the alert, released with the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Vulnerabilities include unpatched bugs in Fortinet security appliances, servers using Adobe ColdFusion, and Microsoft Exchange servers vulnerable to the ProxyShell attack.
Since 2021, various sectors, including critical infrastructure, schools, healthcare, government networks, religious institutions, tech companies, and many small to medium businesses, have been targeted. The main aim is financial gain, with ransom demands often exceeding hundreds of thousands of dollars.
“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” the agencies say. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.”
The group uses well-known hacking tools like Cobalt Strike and Mimikatz, and the malware they deploy often has names like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, according to the alert.
“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the agencies say. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.”
