In a world where technology is evolving rapidly, the persistence of outdated software and firmware presents a glaring vulnerability that cybercriminals are eager to exploit. This reality has become all too clear with the recent surge in Ghost ransomware attacks, targeting organizations across more than 70 countries. The federal government has sounded the alarm, urging security teams to promptly address exploited vulnerabilities and to segment their networks. Beginning in early 2021, these Ghost actors, believed to be based in China, have consistently attacked critical infrastructure, educational institutions, healthcare facilities, government bodies, religious organizations, technology and manufacturing firms, as well as various small businesses. They are capitalizing on outdated systems for financial gain, demonstrating a sophisticated understanding of their targets’ weaknesses.
Exploited vulnerabilities include those in Fortinet FortiOS appliances (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and multiple issues within Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). The ransomware files utilized in these attacks range from Cring.exe, Ghost.exe, ElysiumO.exe, to Locker.exe. Yet, what stands out is the enduring exploitation of ColdFusion vulnerabilities, despite their age. As observed by Billy Hoffman, Field CTO at IONIX, major systems such as Microsoft Exchange and Fortinet typically receive timely patches, while other web applications tend to be overlooked. This neglect renders them fertile ground for breaches.
Necessity of Proactive Risk Management
The core issue underscored by these incidents is the need for proactive risk management. Darren Guccione, CEO of Keeper Security, emphasized the urgency for security leaders to adopt a forward-thinking approach. This includes prioritizing continuous updates and applying fortified protection measures to their software, firmware, and identity systems. The rapid pace at which known vulnerabilities are being exploited leaves no room for complacency, demanding a relentless focus on maintaining robust security postures.
Jim Walter, senior threat researcher at SentinelOne, highlighted the consistency and effectiveness of Ghost’s methods in achieving financial gain. His insights reveal that the availability of exploitable tools and vulnerabilities has remained a significant driver of these attacks. The emphasis, therefore, must be on prevention strategies, such as regular backups, diligent patching initiatives, network segmentation, and rigorous education efforts. These steps align with the Cybersecurity and Infrastructure Security Agency’s (CISA) guidance, which outlines best practices for mitigating such threats.
Furthermore, the call to action extends beyond merely responding to ransomware incidents. It involves a holistic approach to cybersecurity, integrating zero-trust architectures, and robust endpoint defenses. With threat actors continuously evolving their tactics, the adoption of a zero-trust model helps ensure that no entity, internal or external, is automatically trusted. This paradigm shift requires continuous verification and strict access controls, thereby reducing opportunities for malicious actors to exploit network vulnerabilities.
Future-Proofing Cybersecurity Defenses
In a rapidly evolving tech landscape, outdated software and firmware pose significant risks, eagerly exploited by cybercriminals. This has become alarmingly evident with the recent spike in Ghost ransomware attacks hitting organizations in over 70 countries. The federal government has issued urgent warnings to security teams to fix exploited vulnerabilities swiftly and segment their networks.
Since early 2021, these Ghost actors, suspected to be based in China, have persistently targeted critical infrastructure, education sectors, healthcare facilities, government agencies, religious institutions, tech and manufacturing companies, along with numerous small businesses. They leverage outdated systems for financial gain, showcasing a deep understanding of their targets’ vulnerabilities.
Key exploited vulnerabilities include Fortinet FortiOS appliances (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and several Microsoft Exchange issues (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). Ransomware files used range from Cring.exe, Ghost.exe, ElysiumO.exe, to Locker.exe. Despite their age, ColdFusion vulnerabilities remain heavily exploited. Billy Hoffman, Field CTO at IONIX, notes that while major systems like Microsoft Exchange and Fortinet receive timely patches, many web applications are neglected, making them prime targets for breaches.
