US Federal Agencies Warn of Chinese Hackers Compromising Organizations in 70 Countries
Organizations are encouraged to regularly update their applications and software and to rectify known network vulnerabilities to avert such cyberattacks.
A ransomware group known as “Ghost” is taking advantage of network vulnerabilities within various organizations to infiltrate their systems, as indicated by a joint advisory from several U.S. federal agencies.
The attacks have been aimed at schools and universities, government networks, critical infrastructure, as well as technology, manufacturing, and healthcare sectors, including numerous small and medium-sized enterprises.
“This indiscriminate targeting of vulnerable networks has resulted in the compromise of organizations across more than 70 countries, including those in China,” stated CISA, the FBI, and the Multi-State Information Sharing and Analysis Center in the advisory.
Ghost actors have also been identified by other aliases such as Cring, Crypt3r, HsHarada, Hello, Wickrme, Phantom, Rapture, and Strike.
The criminals exploit “common vulnerabilities and exposures” to gain unauthorized access to servers, utilizing publicly available code. They specifically target weaknesses in servers that run Adobe ColdFusion, Microsoft Exchange, and Microsoft SharePoint.
Related Stories
Threat actors utilize various tools to “collect passwords and/or password hashes to facilitate unauthorized logins and privilege escalation or to pivot to other victim devices,” the advisory indicated. Typically, these attackers spend only a few days within their targets’ networks.
The advisory suggests organizations remedy known network vulnerabilities promptly by implementing “timely security updates” for firmware, software, and operating systems.
It is essential for organizations to train users to recognize phishing attempts, as mentioned in the advisory. They should also identify, investigate, and alert regarding any instances of “abnormal network activity.”
“Regular system backups that are known to be good and stored offline or segmented from source systems should be maintained,” the advisory further noted.
“Victims of Ghost ransomware whose backups were unaffected by the attack were frequently able to restore operations without the need to engage with Ghost actors or pay any ransom.”
Chinese Pre-Positioning
The advisory is part of a broader initiative to combat ransomware threats.
Volt Typhoon, a Beijing-supported cyber actor, has successfully breached the IT networks of multiple critical infrastructure entities within sectors such as energy, transportation, communications, and water systems.
Hackers managed to steal customer call records and private communications from “a limited number of individuals primarily involved in government or political activities.”
Rep. Mark Green (R-Tenn.), chairman of the House Committee on Homeland Security, stated, “The Chinese Communist Party’s exploitation of vulnerabilities in major internet service providers is merely the latest alert as Beijing, Tehran, and Moscow strive to gain strategic advantages through cyber espionage, manipulation, and destruction.”
