Skip to main content
close search
site logo
Dive Brief

US authorities warn Ghost ransomware leverages older CVEs

The China-linked threat group has targeted critical infrastructure providers in more than 70 countries.

Published Feb. 20, 2025
David Jones's headshot
Reporter
Rendered image depicting global networks.
DKosig via Getty Images

Dive Brief:

  • Federal authorities on Wednesday warned that Ghost ransomware has compromised organizations as recently as January by exploiting older vulnerabilities to attack internet-facing services that rely on outdated software and firmware. 
  • The China-linked threat group, also known as Cring, has targeted a range of critical infrastructure providers including schools, healthcare providers, governments and manufacturers since 2001, according to an advisory led by the FBI and Cybersecurity and Infrastructure Security Agency.
  • The threat group has leveraged vulnerabilities in Fortinet FortiOS, Adobe ColdFusion, Microsoft SharePoint and Microsoft Exchange, according to the joint advisory.

Dive Insight:

The advisory is part of an ongoing series of warnings from CISA and the FBI about financially motivated groups targeting key industries. 

Ghost threat actors are known to upload web shells to compromised servers and leverage Windows Command Prompt or PowerShell to download Cobalt Strike, according to the advisory. The attackers typically only spend a few days on targeted networks, often deploying ransomware on the day of the initial compromise. 

The threat group exploited older vulnerabilities, including CVE-2018-13379, CVE-2010-2861, CVE-2021-31207, CVE-2021-34473 and others. 

Authorities recommend security teams take the following actions to protect against attacks:

  • Segment networks to restrict lateral movement. 
  • Mandate phishing-resistant multifactor authentication for access to privileged accounts and email service accounts. 
  • Monitor for unauthorized use of PowerShell. 
  • Disable unused ports to limit exposure.

Editors' picks

Company Announcements

View all | Post a press release
Whalebone Secures €13.35M in Funding to Accelerate Global Growth and Innovation
From Whalebone
February 18, 2025
Whalebone Strengthens APAC Cybersecurity with New Major Telco Partners
From Whalebone
February 11, 2025
Invary’s Mission to Ensure the Confidentiality and Security of Systems at Runtime Accelerates …
From Invary
February 03, 2025
Cobalt Iron Compass® Named a DCIG TOP 5 Enterprise VMware Backup Solution for 2025-26
From Cobalt Iron
February 05, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.