Recent bundles

Multiple security issues were discovered in MediaWiki

2025-04-13T15:06:08 by Alexandre Dulaunoy

JSON

CVE ID: CVE-2025-3469 CVE-2025-32696 CVE-2025-32697 CVE-2025-32698 CVE-2025-32699 CVE-2025-32700

Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in information disclosure, cross-site scripting or restriction bypass.

Reference https://security-tracker.debian.org/tracker/source-package/mediawiki

For the stable distribution (bookworm), these problems have been fixed in version 1:1.39.12-1~deb12u1.

Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities

2025-04-10T11:32:21 by Alexandre Dulaunoy

JSON

Microsoft has released its monthly security update for April of 2025 which includes 126 vulnerabilities affecting a range of products, including 11 that Microsoft marked as “critical”.

In this month's release, none of the included vulnerabilities have been observed by Microsoft to be exploited in the wild. The eleven "critical” entries are all remote code execution (RCE) vulnerabilities, four of which have been marked as "Exploitation more likely".

Two of the “critical” vulnerabilities listed affect components of the Windows Remote Desktop Services.

CVE-2025-27480 and CVE-2025-27482 are RCE vulnerabilities in components of the Remote Desktop Gateway Service. Both vulnerabilities were given a CVSS 3.1 score of 8.1. To successfully exploit these an attacker could connect to a system with the Remote Desktop Gateway role and trigger a race condition to create a use-after-free scenario, potentially allowing arbitrary code to be executed. Microsoft has assessed that the attack complexity is “high”, and exploitation is “More likely”.

CVE-2025-26663 is an RCE vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) and has been given a CVSS 3.1 score of 8.1. This could be exploited by an attacker by sending a specially crafted LDAP call to trigger a use-after-free vulnerability, allowing arbitrary code to be executed in the context of the LDAP service. An attacker could initiate this by sending a victim an email or message containing a malicious link. Microsoft has assessed that exploitation is “more likely” and that the attack complexity is “high”.

CVE-2025-26670 is a RCE vulnerability in the Lightweight Directory Access Protocol (LDAP) Client and has been given a CVSS 3.1 base score of 8.1. An attacker could exploit this vulnerability by sending sequential specially crafted LDAP requests to a vulnerable LDAP server. Successful exploitation would require an attacker to win a race condition, which could result in a use-after-free that would allow for arbitrary code execution. Microsoft states that exploitation of this vulnerability is “More likely” and that the attack complexity is “high”.

CVE-2025-26686 is an RCE vulnerability in Windows TCP/IP and has been given a CVSS 3.1 base score of 7.5. Due to improperly locked memory in Windows TCP/IP, this vulnerability could allow an attacker to execute arbitrary code over a network. To exploit this an attacker must wait for a user to initiate a connection and send a DHCPv6, to which the attacker would reply with a DHCPv6 response containing a fake IPv6 address. Successful exploitation requires the attacker to win a race condition and make several preparations in the target environment beforehand. Due to this complexity Microsoft has determined that exploitation is "Less likely".

CVE-2025-27491 is an RCE vulnerability in Windows Hyper-V and has a CVSS 3.1 base score of 7.1. An attacker with guest privileges on a network could exploit this by convincing a victim to click a link to a malicious site. Microsoft has determined that exploitation of this vulnerability is “Less likely” and that the attack complexity is “high”.

CVE-2025-29791 is an RCE vulnerability in Microsoft Excel and has a CVSS 3.1 base score of 7.8. An attacker could exploit this by sending a specially crafted document to a victim that triggers a type confusion when opened. Once triggered, the type confusion could lead to arbitrary code execution. Microsoft has assessed that exploitation of this vulnerability is "Less likely".

CVE-2025-27752 is another RCE vulnerability in Microsoft Excel and has a CVSS 3.1 score of 7.8. This is a heap overflow vulnerability and can be exploited by an attacker to locally execute arbitrary code. It has been assessed that exploitation of this vulnerability is considered "Less likely".

CVE-2025-27745, CVE-2025-27748 and CVE-2025-27749 are RCE vulnerabilities in Microsoft Office and all have a CVSS 3.1 base score of 7.8. These could be exploited by an attacker by triggering a use-after-free scenario, allowing for the execution of arbitrary code. Microsoft has determined that exploitation for each is considered "Less likely".

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that exploitation is "More likely":

CVE-2025-27472 - Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2025-27727 - Windows Installer Elevation of Privilege Vulnerability
CVE-2025-29792 - Microsoft Office Elevation of Privilege Vulnerability
CVE-2025-29793 - Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2025-29794 - Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2025-29809 - Windows Kerberos Security Feature Bypass Vulnerability
CVE-2025-29812 - DirectX Graphics Kernel Elevation of Privilege Vulnerability
CVE-2025-29822 - Microsoft OneNote Security Feature Bypass Vulnerability

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 58316, 58317, 64432, 64746 - 64757, 64760 - 64762. There are also these Snort 3 rules: 301176 - 301179.

Kaspersky - Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain

2025-03-26T07:46:34 by Alexandre Dulaunoy

JSON

Operation ForumTroll exploits zero-days in Google Chrome | Securelist

Incidents

25 Mar 2025

minute read

In mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers’ website was opened using the Google Chrome web browser. No further action was required to become infected.

All malicious links were personalized and had a very short lifespan. However, Kaspersky’s exploit detection and protection technologies successfully identified the zero-day exploit that was used to escape Google Chrome’s sandbox. We quickly analyzed the exploit code, reverse-engineered its logic, and confirmed that it was based on a zero-day vulnerability affecting the latest version of Google Chrome. We then reported the vulnerability to the Google security team. Our detailed report enabled the developers to quickly address the issue, and on March 25, 2025, Google released an update fixing the vulnerability and thanked us for discovering this attack.

Acknowledgement for finding CVE-2025-2783 (excerpt from security fixes included into Chrome 134.0.6998.177/.178)

We have discovered and reported dozens of zero-day exploits actively used in attacks, but this particular exploit is certainly one of the most interesting we’ve encountered. The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist. The cause of this was a logical error at the intersection of Google Chrome’s sandbox and the Windows operating system. We plan to publish the technical details of this vulnerability once the majority of users have installed the updated version of the browser that fixes it.

Our research is still ongoing, but judging by the functionality of the sophisticated malware used in the attack, it seems the attackers’ goal was espionage. The malicious emails contained invitations supposedly from the organizers of a scientific and expert forum, “Primakov Readings”, targeting media outlets and educational institutions in Russia. Based on the content of the emails, we dubbed the campaign Operation ForumTroll.

Example of a malicious email used in this campaign (translated from Russian)

At the time of writing, there’s no exploit active at the malicious link – it just redirects visitors to the official website of “Primakov Readings”. However, we strongly advise against clicking on any potentially malicious links.

The exploit we discovered was designed to run in conjunction with an additional exploit that enables remote code execution. Unfortunately, we were unable to obtain this second exploit, as in this particular case it would have required waiting for a new wave of attacks and exposing users to the risk of infection. Fortunately, patching the vulnerability used to escape the sandbox effectively blocks the entire attack chain.

All the attack artifacts analyzed so far indicate high sophistication of the attackers, allowing us to confidently conclude that a state-sponsored APT group is behind this attack.

We plan to publish a detailed report with technical details about the zero-day exploit, the sophisticated malware, and the attackers’ techniques.

Kaspersky products detect the exploits and malware used in this attack with the following verdicts:

Exploit.Win32.Generic
Trojan.Win64.Agent
Trojan.Win64.Convagent.gen
PDM:Exploit.Win32.Generic
PDM:Trojan.Win32.Generic
UDS:DangerousObject.Multi.Generic

Indicators of Compromise

primakovreadings[.]info

Latest Posts

Latest Webinars

Reports

In this article, we discuss the tools and TTPs used in the SideWinder APT’s attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors.

Kaspersky researchers analyze EAGERBEE backdoor modules, revealing a possible connection to the CoughingDown APT actor.

While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed “BellaCPP”.

Lazarus targets employees of a nuclear-related organization with a bunch of malware, such as MISTPEN, LPEClient, RollMid, CookieTime and a new modular backdoor CookiePlus.

Related vulnerabilities: CVE-2025-2783

Ingress NGINX Controller for Kubernetes - Vulnerabilities fixed in controller-v1.12.1

2025-03-25T10:40:57 by Alexandre Dulaunoy

JSON

This release fixes the following CVEs:

CVE-2025-1097
CVE-2025-1098
CVE-2025-1974
CVE-2025-24513
CVE-2025-24514

Unfortunately, to fix CVE-2025-1974 it was necessary to disable the validation of the generated NGINX configuration during the validation of Ingress resources.

The resulting NGINX configuration is still checked before the actual loading, so that there are no failures of the underlying NGINX. However, invalid Ingress resources can lead to the NGINX configuration no longer being able to be updated.

To reduce such situations as far as possible, we therefore recommend enabling annotation validation and disabling snippet annotations. In case of doubt, such states can be determined from the logs of the Ingress NGINX Controller. Watch out for a line of dashes followed by "Error:" telling you what went wrong.

Related vulnerabilities: CVE-2025-24513 CVE-2025-24514 CVE-2025-1097 CVE-2025-1974 CVE-2025-1098

Pre-authentication SQL injection to RCE in GLPI (CVE-2025-24799/CVE-2025-24801)

2025-03-13T09:40:21 by Alexandre Dulaunoy

JSON

Ref: https://blog.lexfo.fr/glpi-sql-to-rce.html

Several GLPI instances have been identified during Red Team engagements. The software is popular with French-speaking companies, some of those even expose their instances directly on the Internet. GLPI has been historically known to harbor multiple easy-to-find vulnerabilities, and because it is often connected to an Active Directory, finding a vulnerability on this application for Red Team engagements or internal infrastructure audits could lead to initial access to the internal network and the recovery of an active directory account.

2024-12-25 - Discovery of the vulnerability
2025-01-28 - Report of the vulnerability through Github Advisories
2025-01-28 - GLPI validates the report and assigns CVE-2025-24801 (exécution de code à distance)
2025-01-28 - GLPI validates the report and assigns CVE-2025-24799 (injection SQL)
2025-02-12 - Release patched version 10.0.18
2025-03-12 - Article released

Related vulnerabilities: CVE-2025-24799 CVE-2025-24801

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0

2025-03-13T05:57:30 by Cédric Bonhomme

JSON

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. More information: https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

Related vulnerabilities: CVE-2024-45409 CVE-2025-25292 CVE-2024-9487 CVE-2025-25291

Cyber Threat Overview 2024 from CERT-FR

2025-03-11T20:37:58 by Cédric Bonhomme

JSON

In this fourth edition of the Cyber Threat Overview, The French Cybersecurity Agency (ANSSI) addresses prevalent cybersecurity threats and the pivotal incidents which occurred in 2024. In line with the previous years, ANSSI estimates that attackers associated with the cybercriminal ecosystem and reputedly linked to China and Russia are three of the main threats facing both critical information systems and the national ecosystem as a whole.

This past year was also marked by the hosting of the Paris Olympic and Paralympic Games and by the number and the impact of vulnerabilities affecting information systems’ security edge devices.

CVE	SCORE CVSS3.x	ÉDITEUR	RISQUE	RÉFÉRENCE CERT-FR
CVE-2024-21887	9.1	IVANTI	Remote execution of arbitrary code, security policy and authentication bypass, access to restricted resources on different security and VPN gateways	CERTFR-2024-ALE-001, CERTFR-2024-AVI-0109, CERTFR-2024-AVI-0085
CVE-2023-46805	8.2	IVANTI	Remote execution of arbitrary code, security policy and authentication bypass on different security and VPN gateways	CERTFR-2024-ALE-0097
CVE-2024-21893	8.2	IVANTI
CVE-2024-3400	10.0	PALO ALTO NETWORKS	Remote execution of arbitrary code on different security devices	CERTFR-2024-ALE-006, CERTFR-2024-AVI-0307
CVE-2022-42475	9.8	FORTINET	Remote execution of arbitrary code on different SSL VPN gateways	CERTFR-2022-ALE-012, CERTFR-2022-AVI-1090
CVE-2024-8963	9.4	IVANTI	Remote execution of arbitrary code and security policy bypass on different security and VPN gateways	CERTFR-2024-ALE-013, CERTFR-2024-AVI-0796, CERTFR-2024-AVI-0917
CVE-2024-8190	7.2	IVANTI		CERTFR-2024-ALE-014, CERTFR-2024-AVI-0917
CVE-2024-47575	9.8	FORTINET	Remote execution of arbitrary code on different security devices	CERTFR-2024-ALE-014, CERTFR-2024-AVI-0917
CVE-2024-21762	9.8	FORTINET	Remote execution of arbitrary code on different security devices	CERTFR-2024-ALE-004, CERTFR-2024-AVI-0108
CVE-2021-44228	10.0	APACHE	Remote execution of arbitrary code	CERTFR-2021-ALE-022
CVE-2024-24919	8.6	CHECK POINT	Breach of data confidentiality	CERTFR-2024-ALE-008, CERTFR-2024-AVI-0449

VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)

2025-03-04T15:17:20 by Alexandre Dulaunoy

JSON

Ref: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

Impacted Products

VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion
VMware Cloud Foundation
VMware Telco Cloud Platform

Introduction

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 3a. VMCI heap-overflow vulnerability (CVE-2025-22224)

Description: VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Resolution: To remediate CVE-2025-22224 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22224 has occurred in the wild. 3b. VMware ESXi arbitrary write vulnerability (CVE-2025-22225)

Description: VMware ESXi contains an arbitrary write vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.

Known Attack Vectors: A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

Resolution: To remediate CVE-2025-22225 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22225 has occurred in the wild. 3c. HGFS information-disclosure vulnerability (CVE-2025-22226)

Description: VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors: A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

Resolution: To remediate CVE-2025-22226 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds: None.

Additional Documentation: A supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004

Acknowledgements: VMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.

Notes: VMware by Broadcom has information to suggest that exploitation of CVE-2025-22226 has occurred in the wild.

Related vulnerabilities: CVE-2025-22225 CVE-2025-22224 CVE-2025-22226

StopRansomware: Ghost (Cring) Ransomware | CISA

2025-03-03T08:51:11 by Alexandre Dulaunoy

JSON

StopRansomware: Ghost (Cring) Ransomware | CISA

Cybersecurity Advisory

Release Date

February 19, 2025

Alert Code

AA25-050A

Actions for Organizations to Take Today to Mitigate Cyber Threats Related to Ghost (Cring) Ransomware Activity

Maintain regular system backups stored separately from the source systems which cannot be altered or encrypted by potentially compromised network devices [CPG 2.R].
Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 2.F].
Common Vulnerabilities and Exposures (CVE): CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.
Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.

Summary

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

Technical Details

Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16.1. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access

The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple CVEs [T1190]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).

Execution

Ghost actors have been observed uploading a web shell [T1505.003] to a compromised server and leveraging Windows Command Prompt [T1059.003] and/or PowerShell [T1059.001] to download and execute Cobalt Strike Beacon malware [T1105] that is then implanted on victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used for the purposes of testing an organization’s security controls.

Persistence

Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local [T1136.001] and domain accounts [T1136.002] and change passwords for existing accounts [T1098]. In 2024, Ghost actors were observed deploying web shells [T1505.003] on victim web servers.

Privilege Escalation

Ghost actors often rely on built in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges [T1134.001].

Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation [T1068] such as “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato.” These privilege escalation tools would not generally be used by individuals with legitimate access and credentials.

See Table 1 for a descriptive listing of tools.

Credential Access

Ghost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003] to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices.

Defense Evasion

Ghost actors used their access through Cobalt Strike to display a list of running processes [T1057] to determine which antivirus software [T1518.001] is running so that it can be disabled [T1562.001]. Ghost frequently runs a command to disable Windows Defender on network connected devices. Options used in this command are: Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.

Discovery

Ghost actors have been observed using other built-in Cobalt Strike commands for domain account discovery [T1087.002], open-source tools such as “SharpShares” for network share discovery [T1135], and “Ladon 911” and “SharpNBTScan” for remote systems discovery [T1018]. Network administrators would be unlikely to use these tools for network share or remote systems discovery.

Lateral Movement

Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) [T1047] to run PowerShell commands on additional systems on the victim network— often for the purpose of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins with: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA… [T1132.001][T1564.003].

This string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and is involved with the execution of Cobalt Strike in memory on the target machine.

In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.

Exfiltration

Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt Strike Team Servers [T1041]. Victims and other trusted third parties have reported limited uses of Mega.nz [T1567.002] and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data.

Command and Control

Ghost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) [T1071.001]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference the C2 server’s IP address. For example, http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2 server’s IP address.

For email communication with victims, Ghost actors use legitimate email services that include traffic encryption features. [T1573] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.

Note: Table 2 contains a list of Ghost ransom email addresses.

Impact and Encryption

Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality. Ghost variants can be used to encrypt specific directories or the entire system’s storage [T1486]. The nature of executables’ operability is based on command line arguments used when executing the ransomware file. Various file extensions and system folders are excluded during the encryption process to avoid encrypting files that would render targeted devices inoperable.

These ransomware payloads clear Windows Event Logs [T1070.001], disable the Volume Shadow Copy Service, and delete shadow copies to inhibit system recovery attempts [T1490]. Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software [T1486].

The impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.

Indicators of Compromise (IOC)

Table 1 lists several tools and applications Ghost actors have used for their operations. The use of these tools and applications on a network should be investigated further.

Note: Authors of these tools generally state that they should not be used in illegal activity.

Table 1: Tools Leveraged by Ghost Actors

Name

Description

Source

Cobalt Strike

Cobalt Strike is penetration testing software. Ghost actors use an unauthorized version of Cobalt Strike.

N/A

IOX

Open-source proxy, used to establish a reverse proxy to a Ghost C2 server from an internal victim device.

github[.]com/EddieIvan01/iox

SharpShares.exe

SharpShares.exe is used to enumerate accessible network shares in a domain. Ghost actors use this primarily for host discovery.

github[.]com/mitchmoser/SharpShares

SharpZeroLogon.exe

SharpZeroLogon.exe attempts to exploit CVE-2020-1472 and is run against a target Domain Controller.

github[.]com/leitosama/SharpZeroLogon

SharpGPPPass.exe

SharpGPPPass.exe attempts to exploit CVE-2014-1812 and targets XML files created through Group Policy Preferences that may contain passwords.

N/A

SpnDump.exe

SpnDump.exe is used to list service principal name identifiers, which Ghost actors use for service and hostname enumeration.

N/A

NBT.exe

A compiled version of SharpNBTScan, a NetBIOS scanner. Ghost actors use this tool for hostname and IP address enumeration.

github[.]com/BronzeTicket/SharpNBTScan

BadPotato.exe

BadPotato.exe is an exploitation tool used for privilege escalation.

github[.]com/BeichenDream/BadPotato

God.exe

God.exe is a compiled version of GodPotato and is used for privilege escalation.

github[.]com/BeichenDream/GodPotato

HFS (HTTP File Server)

A portable web server program that Ghost actors use to host files for remote access and exfiltration.

rejitto[.]com/hfs

Ladon 911

A multifunctional scanning and exploitation tool, often used by Ghost actors with the MS17010 option to scan for SMB vulnerabilities associated with CVE-2017-0143 and CVE-2017-0144.

github[.]com/k8gege/Ladon

Web Shell

A backdoor installed on a web server that allows for the execution of commands and facilitates persistent access.

Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx

Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity

File name

MD5 File Hash

Cring.exe

c5d712f82d5d37bb284acd4468ab3533

Ghost.exe

34b3009590ec2d361f07cac320671410

d9c019182d88290e5489cdf3b607f982

ElysiumO.exe

29e44e8994197bdb0c2be6fc5dfc15c2

c9e35b5c1dc8856da25965b385a26ec4

d1c5e7b8e937625891707f8b4b594314

Locker.exe

ef6a213f59f3fbee2894bd6734bbaed2

iex.txt, pro.txt (IOX)

ac58a214ce7deb3a578c10b97f93d9c3

x86.log (IOX)

c3b8f6d102393b4542e9f951c9435255

0a5c4ad3ec240fbfd00bdc1d36bd54eb

sp.txt (IOX)

ff52fdf84448277b1bc121f592f753c5

main.txt (IOX)

a2fd181f57548c215ac6891d000ec6b9

isx.txt (IOX)

625bd7275e1892eac50a22f8b4a6355d

sock.txt (IOX)

db38ef2e3d4d8cb785df48f458b35090

Ransom Email Addresses

Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes.

Table 3: Ransom Email Addresses

Email Addresses

[email protected]

Ransom Notes

Starting approximately in August 2024, Ghost actors began using TOX IDs in ransom notes as an alternative method for communicating with victims. For example: EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA and E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B.

MITRE ATT&CK Tactics and Techniques

See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, version 16.1, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 4: Initial Access

Technique Title

Use

Exploit Public-Facing Application

T1190

Ghost actors exploit multiple vulnerabilities in public-facing systems to gain initial access to servers.

Table 5: Execution

Technique Title

Use

Windows Management Instrumentation

T1047

Ghost actors abuse WMI to run PowerShell scripts on other devices, resulting in their infection with Cobalt Strike Beacon malware.

PowerShell

T1059.001

Ghost actors use PowerShell for various functions including to deploy Cobalt Strike.

Windows Command Shell

T1059.003

Ghost actors use the Windows Command Shell to download malicious content on to victim servers.

Table 6: Persistence

Technique Title

Use

Account Manipulation

T1098

Ghost actors change passwords for already established accounts.

Local Account

T1136.001

Ghost actors create new accounts or makes modifications to local accounts.

Domain Account

T1136.002

Ghost actors create new accounts or makes modifications to domain accounts.

Web Shell

T1505.003

Ghost actors upload web shells to victim servers to gain access and for persistence.

Table 7: Privilege Escalation

Technique Title

Use

Exploitation for Privilege Escalation

T1068

Ghost actors use a suite of open source tools in an attempt to gain elevated privileges through exploitation of vulnerabilities.

Token Impersonation/Theft

T1134.001

Ghost actors use Cobalt Strike to steal process tokens of processes running at a higher privilege.

Table 8: Defense Evasion

Technique Title

Use

Application Layer Protocol: Web Protocols

T1071.001

Ghost actors use HTTP and HTTPS protocols while conducting C2 operations.

Impair Defenses: Disable or Modify Tools

T1562.001

Ghost actors disable antivirus products.

Hidden Window

T1564.003

Ghost actors use PowerShell to conceal malicious content within legitimate appearing command windows.

Table 9: Credential Access

Technique Title

Use

OS Credential Dumping

T1003

Ghost actors use Mimikatz and the Cobalt Strike “hashdump” command to collect passwords and password hashes.

Table 10: Discovery

Technique Title

Use

Remote System Discovery

T1018

Ghost actors use tools like Ladon 911 and ShapNBTScan for remote systems discovery.

Process Discovery

T1057

Ghost actors run a ps command to list running processes on an infected device.

Domain Account Discovery

T1087.002

Ghost actors run commands such as net group “Domain Admins” /domain to discover a list of domain administrator accounts.

Network Share Discovery

T1135

Ghost actors use various tools for network share discovery for the purpose of host enumeration.

Software Discovery

T1518

Ghost actors use their access to determine which antivirus software is running.

Security Software Discovery

T1518.001

Ghost actors run Cobalt Strike to enumerate running antivirus software.

Table 11: Exfiltration

Technique Title

Use

Exfiltration Over C2 Channel

T1041

Ghost actors use both web shells and Cobalt Strike to exfiltrate limited data.

Exfiltration to Cloud Storage

T1567.002

Ghost actors sometimes use legitimate cloud storage providers such as Mega.nz for malicious exfiltration operations.

Table 12: Command and Control

Technique Title

Use

Web Protocols

T1071.001

Ghost actors use Cobalt Strike Beacon malware and Cobalt Strike Team Servers which communicate over HTTP and HTTPS.

Ingress Tool Transfer

T1105

Ghost actors use Cobalt Strike Beacon malware to deliver ransomware payloads to victim servers.

Standard Encoding

T1132.001

Ghost actors use PowerShell commands to encode network traffic which reduces their likelihood of being detected during lateral movement.

Encrypted Channel

T1573

Ghost actors use encrypted email platforms to facilitate communications.

Table 13: Impact

Technique Title

Use

Data Encrypted for Impact

T1486

Ghost actors use ransomware variants Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe to encrypt victim files for ransom.

Inhibit System Recovery

T1490

Ghost actors delete volume shadow copies.

Mitigations

The FBI, CISA, and MS-ISAC recommend organizations reference their #StopRansomware Guide and implement the mitigations below to improve cybersecurity posture on the basis of the Ghost ransomware activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.

Maintain regular system backups that are known-good and stored offline or are segmented from source systems [CPG 2.R]. Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to restore operations without needing to contact Ghost actors or pay a ransom.
Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 1.E].
Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.
Train users to recognize phishing attempts.
Monitor for unauthorized use of PowerShell. Ghost actors leverage PowerShell for malicious purposes, although it is often a helpful tool that is used by administrators and defenders to manage system resources. For more information, visit NSA and CISA’s joint guidance on PowerShell best practices.
- Implement the principle of least privilege when granting permissions so that employees who require access to PowerShell are aligned with organizational business requirements.
Implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access [CPG 3.A].
Identify, alert on, and investigate abnormal network activity. Ransomware activity generates unusual network traffic across all phases of the attack chain. This includes running scans to discover other network connected devices, running commands to list, add, or alter administrator accounts, using PowerShell to download and execute remote programs, and running scripts not usually seen on a network. Organizations that can successfully identify and investigate this activity are better able to interrupt malicious activity before ransomware is executed [CPG 3.A].
- Ghost actors run a significant number of commands, scripts, and programs that IT administrators would have no legitimate reason for running. Victims who have identified and responded to this unusual behavior have successfully prevented Ghost ransomware attacks.
Limit exposure of services by disabling unused ports such as, RDP 3398, FTP 21, and SMB 445, and restricting access to essential services through securely configured VPNs or firewalls.
Enhance email security by implementing advanced filtering, blocking malicious attachments, and enabling DMARC, DKIM, and SPF to prevent spoofing [CPG 2.M].

Validate Security Controls

In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Table 3 to Table 13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

Reporting

Your organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.

The FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files.

Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and network-based indicators.

The FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center ([email protected]) or by calling 1-844-Say-CISA (1-844-729-2472).

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC.

Version History

February 19, 2025: Initial version.

This product is provided subject to this Notification and this Privacy & Use policy.

Recent bundles

Operation ForumTroll exploits zero-days in Google Chrome | Securelist

Indicators of Compromise

Latest Posts

Latest Webinars

Reports

Impacted Products

Introduction

StopRansomware: Ghost (Cring) Ransomware | CISA

Actions for Organizations to Take Today to Mitigate Cyber Threats Related to Ghost (Cring) Ransomware Activity

Summary

Technical Details

Initial Access

Execution

Persistence

Privilege Escalation

Credential Access

Defense Evasion

Discovery

Lateral Movement

Exfiltration

Command and Control

Impact and Encryption

Indicators of Compromise (IOC)

Ransom Email Addresses

Ransom Notes

MITRE ATT&CK Tactics and Techniques

Mitigations

Validate Security Controls

Reporting

Disclaimer

Version History

Tags