Cyber Threat Intelligence Report

This week we briefed our clients on a joint CISA/FBI release on Ghost ransomware who has been targeting organizations with poor software patching practices.

 KEY TAKEAWAYS 

• New CISA/FBI joint advisory on Ghost ransomware group. Learn about their TTPs and how to protect your organization.
• Critical vulnerabilities in Palo Alto, Progress Software, SonicWall, Juniper, Xerox, OpenSSH, and Citrix . Patch now!

ISA Publishes TTPs for Ghost (Cring) Ransomware

Last week, CISA and the FBI released a joint #StopRansomware publication highlighting the TTPs for Ghost ransomware. The group has been active since 2021, but has recently been gathering momentum. They have claimed victims across multiple industry verticals and over 70 countries. Attribution for this group has been difficult, as they tend to change various aspects of their naming conventions, such as the file extensions of encrypted files, contents of the ransom notes, and the ransomware executable itself. Ghost ransomware has also been tracked as Cring, Crypt3r, Phantom, Stike, Hello, Wickrme, HsHarada, and Rapture. As we will see below, their wide range of victims are due to their targeting of well-known vulnerabilities where patches have not been applied.

Initial Access

Ghost ransomware targets organizations that have not patched known vulnerabilities of public facing software and appliances. Known vulnerabilities that Ghost has exploited include CVE-2018-13379 in Fortinet FortiOS, CVE-2010-2861 and CVE-2009-3960 in Adobe ColdFusion, CVE-2019-0604 in Microsoft SharePoint, and CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 (a.k.a. ProxyShell) in Microsoft Exchange. This selection of vulnerabilities highlights the fact that Ghost ransomware targets organizations with poor software patching practices (low-hanging-fruit).

Tools of the Trade

Ghost actors use a variety of commercial and open-source tools to complete their objectives. They do not rely on any custom tooling with the exception of their ransomware encryptor. The group typically has a short dwell time in the victim environment, and has been observed deploying ransomware the same day as initial compromise. They deploy a web shell on initial compromised servers for persistence. Ghost then relies heavily on a commercial red-teaming tool Cobalt Strike. They leverage Cobalt Strike to run processes as SYSTEM, and also use the "hashdump" function of Mimikatz to steal credentials. Additional open-source tools such as "SharpZeroLogon", "BadPotato", and "GodPotato" are also used for privilege escalation. 

Command and Control (C2) functionality leverages Cobalt Strike almost exclusively. According to the advisory, Ghost rarely registers domains for their C2 servers and instead will directly reference the C2 IP address with a specific URI, such as http://xxx.xxx.xxx.xxx:80/google.com. 

Ghost does not typically exfiltrate large quantities of sensitive data. However, when they do exfil data, they consistently use the file upload site Mega[.]nz, a common upload site for ransomware groups due to its free file hosting capabilities.

Also of note in the advisory is that Ghost tends to simply move on to other targets when they come across hardened environments, such as those with proper network segmentation to prevent lateral movement.

How to Protect your Organization

Ghost ransomware has a wide range of victims all over the globe. However, their victimology targets organizations with sub-par security practices. Following standard cybersecurity best practices will make organizations resilient to threat actors such as Ghost. This includes:

• Patch known vulnerabilities - Maintain a patch management program that consistently patches known vulnerabilities in a timely manner, especially vulnerabilities affecting assets that are internet-facing.
• Network segmentation - Proper network segmentation restricts lateral movement and greatly increases the effort required for a threat actor to fully compromise a network.
• Maintain regular backups - In situations where a ransomware payload is successfully detonated, having secure "known-good" backups will help get the network restored in a timely manner and eliminate any need to pay a ransom.
• Implement allow-listing for applications - This will prevent unauthorized execution of unwanted applications.
• EDR on all endpoints - Having fully up-to-date EDR solutions on all endpoints will detect and prevent many of the tools leveraged by Ghost and other ransomware groups.
• Limit exposure of services - Disable unused ports/services at the network perimeter. Highly targeted and vulnerable ports such as 3389 (RDP), 21 (FTP), and 445 (SMB) should never be exposed to the open internet.
• For additional network hardening and security recommendations, readers are strongly encouraged to read the full advisory here.

Resources:

• https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
  

• https://www.cisa.gov/sites/default/files/2025-02/aa25-050a-stopransomware-ghost-cring-ransomware.pdf
  

• https://www.bleepingcomputer.com/news/security/cisa-and-fbi-ghost-ransomware-breached-orgs-in-70-countries/
  

• https://nvd.nist.gov/vuln/detail/CVE-2018-13379
  

• https://nvd.nist.gov/vuln/detail/CVE-2010-2861
  

• https://nvd.nist.gov/vuln/detail/CVE-2009-3960
  

• https://nvd.nist.gov/vuln/detail/CVE-2019-0604
  

• https://nvd.nist.gov/vuln/detail/CVE-2021-31207

Vulnerability Roundup

Palo Alto Networks PAN-OS Authentication Bypass Under Active Exploitation

An authentication bypass vulnerability in PAN-OS, tracked as CVE-2025-0108, was patched earlier this month. Since the vulnerability disclosure, a proof-of-concept concept exploit leveraging this vulnerability along with CVE-2024-9474 (a privilege escalation vulnerability patched in November 2024) could be chained together to gain root privileges on PAN-OS firewalls. Shortly after, Palo Alto updated their security advisory for CVE-2025-0108 stating that they have observed exploit attempts chaining together CVE-2025-0108, CVE-2024-9474, and CVE-2025-0111 (a file read vulnerability in the Management Interface for PAN-OS). This exploit chain relies not only on the device being unpatched, but on the management web interface being exposed to the open internet. Administrators are strongly urged to update to the latest version and restrict access to the management web interface. Affected PAN-OS versions for the CVE-2025-0108 vulnerability are below:

Fig. 1: CVE-2025-0108 Affected PAN-OS Versions | Source: Palo Alto Networks

• https://securityadvisories.paloaltonetworks.com/CVE-2025-0108
  

• https://security.paloaltonetworks.com/CVE-2025-0111
  

• https://security.paloaltonetworks.com/CVE-2024-9474
  

• https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/
  

• https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os
  

• https://www.bleepingcomputer.com/news/security/palo-alto-networks-tags-new-firewall-bug-as-exploited-in-attacks/
  

• https://thehackernews.com/2025/02/palo-alto-networks-patches.html

   

High Severity Vulnerabilities in Progress Software LoadMaster

A set of high-severity vulnerabilities in Progress Software LoadMaster (a high-performance application delivery controller) were recently disclosed. The first 4 vulnerabilities, CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, and CVE-2024-56135, are input validation flaws that allow remote threat actors who have access to the management interface of LoadMaster and are successfully authenticated to execute arbitrary system commands with crafted HTTP requests.

The final vulnerability, tracked as CVE-2024-56134, allows remote threat actors with the same set of conditions as the other vulnerabilities to download the content of any file on the system via crafted HTTP requests. While no exploitation has been observed in the wild, administrators are urged to patch as soon as possible. Below are the affected versions:

• LoadMaster versions from 7.2.55.0 to 7.2.60.1 (inclusive) - Fixed in 7.2.61.0 (GA)
• LoadMaster versions from 7.2.49.0 to 7.2.54.12 (inclusive) - Fixed in 7.2.54.13 (LTSF)
• LoadMaster version 7.2.48.12 and prior - Upgrade to LTSF or GA
• Multi-Tenant LoadMaster version 7.1.35.12 and prior - Fixed in 7.1.35.13 (GA)

• https://community.progress.com/s/article/LoadMaster-Security-Vulnerability-CVE-2024-56131-CVE-2024-56132-CVE-2024-56133-CVE-2024-56134-CVE-2024-56135
  

• https://thehackernews.com/2025/02/progress-software-patches-high-severity.html

Exploit Released for SonicWall SonicOS Authentication Bypass

Exploit code for a high-severity authentication bypass vulnerability in SonicWall's SonicOS was published by Bishop Fox. The vulnerability, tracked as CVE-2024-53704, was initially disclosed by SonicWall on January 7, and was reviewed in the January 13th PacketWatch Intel Report. With exploit code in the wild, this significantly increases the risk of exploitation. Administrators are urged to patch immediately if they have not already. If patching is not feasible, SonicWall recommends disabling the SSLVPN feature on the device.

• https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
  

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003
  

• https://packetwatch.com/resources/threat-intel/cyber-threat-intelligence-01-13-2025

Juniper Session Smart Routers Authentication Bypass

Juniper recently disclosed a critical authentication bypass vulnerability, tracked as CVE-2025-21589, that affects their Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Router products. The security advisory stated that this vulnerability is not currently under active exploitation, however, administrators are strongly encouraged to patch as soon as possible. Affected products and versions are below:

Session Smart Router:

• from 5.6.7 before 5.6.17,
• from 6.0.8,
• from 6.1 before 6.1.12-lts,
• from 6.2 before 6.2.8-lts,
• from 6.3 before 6.3.3-r2;

Session Smart Conductor:

• from 5.6.7 before 5.6.17,
• from 6.0.8,
• from 6.1 before 6.1.12-lts,
• from 6.2 before 6.2.8-lts,
• from 6.3 before 6.3.3-r2;

WAN Assurance Managed Routers:

• from 5.6.7 before 5.6.17,
• from 6.0.8,
• from 6.1 before 6.1.12-lts,
• from 6.2 before 6.2.8-lts,
• from 6.3 before 6.3.3-r2.

• https://supportportal.juniper.net/s/article/2025-02-Out-of-Cycle-Security-Bulletin-Session-Smart-Router-Session-Smart-Conductor-WAN-Assurance-Router-API-Authentication-Bypass-Vulnerability-CVE-2025-21589?language=en_US
  

• https://thehackernews.com/2025/02/juniper-session-smart-routers.html

Xerox MFPs Allow Attackers to Steal Credentials

A pair of vulnerabilities in the Xerox Versalink C7025 Multifunction printer (MFP), tracked as CVE-2024-12510 and CVE-2024-12511 were recently disclosed. These vulnerabilities allow for what is known as a pass-back attack, where the threat actor can alter the MFP's configuration and cause the printer to send authentication credentials back to the threat actor. The attacks can be used to steal authentication data for LDAP, SMB, and FTP services. A detailed review of the vulnerabilities can be found on Rapid7's blog here. Affected firmware versions are 57.69.91 and earlier. Administrators are urged to download and install the latest firmware here. If patching is not available, additional remediation includes setting a complex password for the admin account, avoid using Windows authentication accounts with elevated privileges, and avoid enabling the remote-control console for unauthenticated users.

• https://www.rapid7.com/blog/post/2025/02/14/xerox-versalink-c7025-multifunction-printer-pass-back-attack-vulnerabilities-fixed/
  

• https://www.support.xerox.com/en-us/product/versalink-c7020-c7025-c7030/content/169633
  

• https://thehackernews.com/2025/02/new-xerox-printer-flaws-could-let.html

OpenSSH Man-in-the-Middle and Denial-of-Service Vulnerabilities

Two new vulnerabilities in OpenSSH discovered by Qualys were recently disclosed. The first, tracked as CVE-2025-26465, is classified as a man-in-the-middle (MiTM) vulnerability. A successful attack allows an threat actor to trick the client into accepting a "rogue" server key, with the net result bypassing host verification, and allowing the threat actor to hijack the SSH session and steal credentials, inject commands, and exfiltrate data. This vulnerability was first introduced in December 2014 with OpenSSH version 6.8p1. All versions since are affected. There is one caveat; in order for the SSH client to be vulnerable, the "VerifyHostKeyDNS" option needs to be set to "yes" or "ask". The "no" option is the default, so only OpenSSH configurations that have this variable modified are vulnerable.

The second vulnerability is a pre-authentication denial of service vulnerability, tracked as CVE-2025-26466. This affects all OpenSSH versions since OpenSSH 9.5p1 (August 2023). The vulnerability allows a remote attacker to repeatedly send small 16-byte ping messages to the vulnerable server, which forces it to buffer 256-byte responses, eventually leading to excessive memory consumption and CPU overload. Administrators are strongly encouraged to upgrade to OpenSSH version 9.9p2 or higher.

• https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466
  

• https://www.bleepingcomputer.com/news/security/new-openssh-flaws-expose-ssh-servers-to-mitm-and-dos-attacks/

Citrix NetScaler Console Privilege Escalation Vulnerability

Citrix Cloud Software Group recently disclosed a high-severity privilege escalation vulnerability in NetScaler Console and NetScaler Console Agent. The vulnerability, tracked as CVE-2024-12284, allows an authenticated threat actor to execute commands without additional authorization. The following versions are affected:

• NetScaler Console & NetScaler Agent 14.1 before 14.1-38.53
• NetScaler Console & NetScaler Agent 13.1 before 13.1-56.18

Administrators are strongly encouraged to upgrade to the following builds:

• NetScaler Console & NetScaler Agent 14.1-38.53 and later releases
• NetScaler Console & NetScaler Agent 13.1-56.18 and later releases

• https://www.netscaler.com/blog/news/cve-2024-12284-high-severity-security-update-for-netscaler-console/
  

• https://support.citrix.com/s/article/CTX692579-netscaler-console-and-netscaler-agent-security-bulletin-for-cve202412284?language=en_US
  

• https://thehackernews.com/2025/02/citrix-releases-security-fix-for.html

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.