In a recent security update, the Federal Bureau of Investigation (FBI) has issued a critical advisory urging organizations to maintain regular system backups in light of the dangerous Ghost ransomware campaign that has been targeting multiple industry sectors across more than 70 countries. The sophisticated attacks, originating from China, have been exploiting known vulnerabilities in software and firmware, highlighting the urgent need for organizations worldwide to bolster their cybersecurity defenses and employ robust risk management practices.
The advisory explains how Ghost ransomware actors are leveraging publicly available codes to exploit security vulnerabilities in internet-facing servers, including Fortinet FortiOS appliances and servers running Adobe ColdFusion, Microsoft SharePoint, and Microsoft Exchange. These vulnerabilities, some of which date back as far as 2009, make systems particularly susceptible to attack if not properly patched. The following steps outline how organizations can safeguard their data from this relentless ransomware campaign.
Maintain Regular System Backups
One of the most critical actions organizations can take is to keep consistent backups of systems stored independently from the main systems. By ensuring these backups cannot be modified or encrypted by possibly compromised network equipment, organizations can make sure they have a reliable way to restore data in the event of a ransomware attack. The advisory emphasizes that these backups should be maintained offline or in a separate, secure location unaffected by the primary network.
Documenting a comprehensive backup strategy is essential for maintaining business continuity. Regularly scheduled backups should include all critical data, apps, and configurations necessary to restore normal operations. Additionally, organizations need to verify and test backup procedures to confirm data integrity and recovery capabilities, ensuring that backup files are not infected or corrupted. Implementing a vigilant backup regimen greatly enhances an organization’s ability to mitigate the consequences of a ransomware attack, thus preventing catastrophic data loss and prolonged system downtime.
Patch Known Vulnerabilities
Fixing known security weaknesses by promptly applying security updates to operating systems, applications, and firmware within a timeframe informed by risk assessment is another vital protective measure. The FBI advisory lists several Common Vulnerabilities and Exposures (CVEs) exploited by the Ghost ransomware, including CVE-2009-3960, CVE-2010-2861, CVE-2018-13379, CVE-2019-0604, CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523. These vulnerabilities, some of which are over a decade old, stress the importance of staying up-to-date with security patches.
Regularly updating and patching systems can significantly reduce the attack surface available to ransomware actors. Organizations must prioritize the timely application of patches by developing a risk-informed patch management protocol. By conducting risk assessments, IT teams can identify and address the most critical vulnerabilities first, minimizing the window of exposure. Automated tools for patch management can further streamline this process, ensuring that no vulnerabilities are missed or left unaddressed.
Segment Networks to Restrict Lateral Movement
Dividing networks to limit the spread of ransomware from initially compromised devices to other devices within the same organization can greatly improve security. The FBI advises segmenting networks as a means of containing and isolating malware infections, preventing threat actors from moving laterally across the network once inside. This segmentation approach minimizes the potential damage and limits the attacker’s ability to access additional resources and sensitive data.
Network segmentation involves dividing an organization’s network into smaller, more manageable segments or subnetworks. Each segment can enforce its security controls and provide an additional layer of defense. By implementing access control lists (ACLs), firewalls, and monitoring tools within each segment, organizations can detect and respond to suspicious activity more effectively. Additionally, organizations should separate critical systems and data storage from less secure segments, ensuring that even if one section is compromised, the attack does not lead to a total network breach.
Require Phishing-Resistant MFA for All Accounts
Mandating phishing-resistant multi-factor authentication (MFA) for accessing all privileged accounts and email service accounts is a critical step in preventing unauthorized access and enhancing security. MFA provides an additional layer of defense by requiring users to authenticate their identity through multiple verification methods, making it significantly more challenging for attackers to gain access using stolen credentials.
Organizations should implement phishing-resistant MFA solutions that leverage methods such as biometrics, hardware tokens, or app-based authenticators. These methods are inherently more secure than traditional username and password combinations, which can be easily compromised through phishing attacks. By deploying MFA across all privileged and email accounts, organizations can reduce the risk of unauthorized access and minimize the likelihood of successful credential theft.
Stay Proactive and Vigilant
In addition to the outlined steps, the FBI recommends organizations adopt several other measures to enhance their cybersecurity posture. Conducting regular phishing awareness training for users ensures they can recognize and avoid potential threats. Applying the principle of least privilege when granting permissions restricts access to only what is necessary, reducing the risk of internal compromise. Disabling unused ports and implementing application allowlisting prevent unauthorized execution and access, further strengthening an organization’s defenses.
While the Ghost ransomware campaign demonstrates the vulnerabilities exposed by outdated and unpatched systems, it also reinforces the importance of proactive risk management and vigilant security practices. By ensuring software, firmware, and identity systems are continuously updated and hardened, organizations can significantly reduce their risk profile.
Expert Insights on Addressing Ghost Ransomware
Security professionals have emphasized the need for organizations to adopt a comprehensive and layered approach to cybersecurity. Juliette Hudson, CTO at CybaVerse, stresses the importance of prioritizing patching and remediation efforts. Darren Guccione, CEO of Keeper Security, highlights the need for continuous updates and identity security measures to prevent lateral movement. Joe Silva, CEO at Spektion, warns of patch fatigue and the need for real-time insights into software behavior to effectively manage vulnerabilities.
The credential theft capabilities of Ghost ransomware serve as a stark reminder of the importance of robust access controls. Rom Carmel, CEO at Apono, advises organizations to enforce precise, right-sized privileges and limit access to high-value resources to reduce the blast radius of potential account compromises. Agnidipta Sarkar, VP CISO advisory at ColorTokens, underscores the importance of understanding how attackers find their victims and emphasizes the need to address lateral movement within critical infrastructure.
The Importance of Long-Term Planning
Tim Mackey, head of software supply chain risk strategy at Black Duck, emphasizes the need for long-term operations and risk mitigation plans. Given the longevity of cyber-physical and Internet of Things devices, organizations must work closely with their suppliers to ensure the availability of patches and the sharing of threat scenario data to stay ahead of evolving threats.
Conclusion: Immediate Actions to Mitigate Risk
Tim Mackey, who leads the software supply chain risk strategy at Black Duck, stresses the importance of developing and maintaining long-term operational and risk mitigation plans. As cyber-physical systems and Internet of Things (IoT) devices continue to play crucial roles in modern technology, their longevity necessitates proactive measures to ensure their security. Organizations must establish strong collaborations with their suppliers to guarantee the timely availability of patches and updates. Sharing threat scenario data and information about vulnerabilities is essential to staying ahead of continually evolving cyber threats.
Given the intricate nature and extended life cycles of these devices, it is crucial for companies to not only address immediate security concerns but also anticipate future risks. Effective communication and coordination with suppliers can result in a more resilient defense posture. This approach allows for a quicker response to emerging threats and reduces potential impacts on business operations. Staying informed and prepared is key to navigating the complex landscape of cyber threats, and long-term planning is vital for the ongoing security and functionality of IoT and cyber-physical systems.