Happy Friday everyone!
The Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation (FBI) have released a #cybersecurity advisory focusing on the #Ghost ransomware threat. They provide us with some updates to the TTPs and Behaviors on the groups activity and what we can hunt for!
Behaviors (MITRE ATT&CK):
Initial Access - TA0001
Exploit Public-Facing Application - T1190 - the group exploited many CVEs to gain their initial foothold. They exploited Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE2021-34473, CVE-2021-34523, and CVE-2021-31207.
Defense Evasion - TA0005
Impair Defenses: Disable or Modify Tools - T1562.001 - Ghost
frequently runs a command to disable Windows Defender on network connected devices.
There are plenty of other technical and behavior artifacts in the report, so go check it out yourself! Enjoy and Happy Hunting!
#StopRansomware: Ghost (Cring) Ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday