CISA and FBI issue advisory on the Ghost ransomware.

Summary

By the CyberWire staff

At a glance.

CISA and FBI issue advisory on the Ghost ransomware.
NailaoLocker ransomware targets European healthcare organizations.
Thailand will take in thousands of people rescued from Myanmar scam compounds.

CISA and FBI issue advisory on the Ghost ransomware.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory on the Ghost ransomware. The ransomware's operators, which are based in China, have compromised organizations in more than seventy countries (including China). Victims have included "critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses."

The threat actors gain initial access via flaws affecting unpatched internet-facing servers, including "vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain)."

Enhance Your Network Security with Zero Trust!

IT pros, are you ready to fortify your defenses? Discover ThreatLocker® Network Control, a powerful Zero Trust host-based firewall with dynamic ACLs. Gain full visibility, granular control, and advanced filtering to secure your network like never before. Learn how to stop breaches, implement microsegmentation, and integrate seamlessly with the ThreatLocker Platform. Download the whitepaper now and get the insights you need to enhance your organization’s defenses!

NailaoLocker ransomware targets European healthcare organizations.

Orange Cyberdefense has published a report on a relatively new strain of ransomware dubbed "NailaoLocker" that targeted European healthcare organizations between June and October 2024. The intrusions involved ShadowPad and PlugX, two strains of malware frequently used by Chinese espionage actors. The researchers note the possibility that an individual or group with access to Chinese espionage tools is moonlighting as a ransomware actor for financial gain. Symantec recently observed a similar operation involving the RA World ransomware.

The researchers believe initial access was achieved via exploitation of CVE-2024-24919, a vulnerability affecting Check Point Security Gateways that received a patch in May 2024. The NailaoLocker ransomware itself is "unsophisticated and poorly designed, seemingly not intended to guarantee full encryption."

Many Voices. One Community.

Join Us at the RSAC 2025 Conference. Join us at RSAC, April 28 - May 1 in San Francisco and gain access to cybersecurity innovators, expert-led sessions, and hands-on workshops. Leave with new strategies, insights, and connections to elevate your cybersecurity journey.

Thailand will take in thousands of people rescued from Myanmar scam compounds.

Thailand will take in 7,000 people rescued from scam call centers in Myanmar, the Record reports. Most of the individuals are from China, Thailand, Vietnam, and other Southeast Asian countries, and were essentially slaves tricked into traveling to Myanmar under false promises of employment.

Organized criminal gangs set up compounds in the area following Myanmar's coup in 2021 and used them as bases to launch various online scams against victims around the world, causing billions of dollars in losses. China and Thailand have been pressuring Myanmar to crack down on these networks, but regional instability has hampered the efforts.

Notes.

Today's issue includes events affecting China, Myanmar, Thailand, the United States, and Vietnam.

Selected Reading

Attacks, Threats, and Vulnerabilities

Two critical vulns lead to stolen MongoDB data, RCE (The Register) Bugs fixed, updating to the latest version is advisable

Salt Typhoon telecom breach remarkable for its ‘indiscriminate’ targeting, FBI official says (CyberScoop) Speaking at a conference presented by CyberScoop, Cynthia Kaiser said the impact of the breach could last forever.

Products, Services, and Solutions

NSA Added New Features to Supercharge Ghidra 11.3 (Cyber Security News) The National Security Agency (NSA) has unveiled Ghidra 11.3, a transformative update to its open-source Software Reverse Engineering (SRE) framework, delivering advanced debugging tools, accelerated emulation, and modernized integrations for cybersecurity professionals.

Legislation, Policy, and Regulation

Katie Arrington Returns to Pentagon as DoD CISO (GovInfoSecurity) The White House appointed a Trump ally and former Department of Defense cybersecurity official as DOD CISO, an unexpected return to the Pentagon for an official

Trump to nominate White House insider from first term to lead DOJ’s National Security Division (The Record) John Eisenberg, a legal adviser to the National Security Council during Donald Trump's first presidency, is expected to be the president's nominee to lead the National Security Division of the Department of Justice.

Litigation, Investigation, and Law Enforcement

Army soldier linked to Snowflake extortion to plead guilty (The Register) That's the way the cookie melts

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

Zero Trust World 2025 (Orlando, Florida, USA, Feb 19 - 21, 2025) Whether you’re Zero Trust curious, actively adopting, or simply want to harden your cybersecurity, Zero Trust World provides education and training to support IT professionals. Through thought leadership and hands-on hacking labs, you’ll explore the threat landscape and what’s possible by changing your defense strategy to default-deny.

The Business of Space Conference (Huntsville, Alabama, Feb 23 - 25, 2025) Engage with top academics, business leaders, innovators, and policy influencers working on the new space economy. Dive into keynote presentations and discussions that foster collaboration between researchers and space economy industry stakeholders. These conversations will present the latest insights into the new space economy and shape future academic and policy research.

Satellite 2025 (Washington, DC, USA, Mar 10 - 13, 2025) For 40+ years SATELLITE has gathered the global space and satellite communities for four immersive days of enterprise, insights, and innovation. This year, with the debut of GovMilSpace, SATELLITE expands its reach to address the needs and priorities of the defense sector.

GovMilSpace (Washington, DC, USA, Mar 10 - 13, 2025) Demystify the future of space technology. In alignment with the SATELLITE Conference & Exhibition, GovMilSpace brings together government and military agencies, the intelligence community, and satellite and space industry partners to explore how private industry can enhance critical missions for the U.S. and its global allies.

WICYS 2025 (Dallas and Virtual, Texas, USA, Apr 2 - 5, 2025) WiCyS 2025 is the go-to event for cybersecurity professionals, students, and organizations. The conference is the flagship event to recruit, retain and advance women in cybersecurity.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 02.20.25

At a glance.

CISA and FBI issue advisory on the Ghost ransomware.

NailaoLocker ransomware targets European healthcare organizations.

Thailand will take in thousands of people rescued from Myanmar scam compounds.

Notes.

Attacks, Threats, and Vulnerabilities

Products, Services, and Solutions

Legislation, Policy, and Regulation

Litigation, Investigation, and Law Enforcement

Events