The CACTUS cybercriminal group targets VPN appliances for initial access and to install a backdoor. Credit: Ugur Akdemir A cybercriminal group has been compromising enterprise networks for the past two months and has been deploying a new ransomware program that researchers dubbed CACTUS. In the attacks seen so far the attackers gained access by exploiting known vulnerabilities in VPN appliances, moved laterally to other systems, and deployed legitimate remote monitoring and management (RMM) tools to achieve persistence on the network.“The name ‘CACTUS’ is derived from the filename provided within the ransom note, cAcTuS.readme.txt, and the self-declared name within the ransom note itself,” researchers with Kroll Cyber Threat Intelligence said in a new report. “Encrypted files are appended with .cts1, although Kroll notes the number at the end of the extension has been observed to vary across incidents and victims. Kroll has observed exfiltration of sensitive data and victim extortion over the peer-to-peer messaging service known as Tox, but a known victim leak site was not identified at the time of analysis.”CACTUS initial intrusion and lateral movementIn all the cases investigated by Kroll, the attackers gain their initial foothold on a VPN appliance using a service account and they then deployed a SSH backdoor that connected back to their command-and-control (C2) server and was executed via a scheduled task.This activity was immediately followed by network reconnaissance using a commercial Windows network scanner made by an Australian company called SoftPerfect. Additional PowerShell commands and scripts were used to enumerate computers on the network and extract user accounts from the Windows Security event log. Another PowerShell-based network scanning script called PSnmap.ps1 has also been observed in some cases. The group then dumps LSASS credentials and searches for local files that might contain passwords to identify accounts that could allow them to jump to other systems via remote desktop protocol (RDP) and other methods. To maintain persistence on the systems they compromised, the attackers deploy RMM tools like Splashtop, AnyDesk, and SuperOps, as well as the Cobalt Strike implant or the Chisel SOCKS5 proxy. The abuse of legitimate RMM tools is a common technique among threat actors.“Chisel assists with tunneling traffic through firewalls to provide hidden communications to the threat actor’s C2 and is likely used to pull additional scripts and tooling onto the endpoint,” the Kroll researchers said. One such script uses the Windows msiexec tool to attempt to uninstall common antivirus programs. In one case the attackers even used the Bitdefender uninstall tool. CACTUS ransomware deploymentOnce the group has identified systems with sensitive data, it uses the Rclone tool to exfiltrate the information to cloud storage accounts and prepares to deploy the ransomware program. To do this it leverages a script called TotalExec.ps1 that has also been used by cybercriminals behind the BlackBasta ransomware.First, the attackers deploy a batch script called f1.bat that creates a new admin user account on the system and adds a secondary script called f2.bat to the system’s autorun list. This script extracts the ransomware binary from a 7zip archive and executes it with a series of flags. The PsExec tool is also used to execute the binary on remote systems.The ransomware binary has three execution modes based on the flags passed to it — setup, configuration and encryption. In setup mode it will create a file called C:ProgramDatantuser.dat that is filled with encrypted configuration data for the ransomware. It then creates a scheduled task that executes the ransomware.When executed with the encryption flag, the ransomware binary will extract and decrypt a hardcoded RSA public key. It then starts generating AES keys for file encryption, and those keys are then encrypted with the RSA public key. The process leverages the Envelope implementation from the OpenSSL library, meaning the resulting encrypted file will also contain the encrypted AES key that was used to encrypt the file. To recover the AES key, the user needs the private RSA key, which is in the attackers’ hands.The Kroll report includes a breakdown of tactics, techniques, and procedures (TTPs) according to the MITRE ATT&CK framework, along with indicators of compromise. The researchers recommend keeping publicly facing systems, such as VPN appliances up to date, implementing password managers and two-factor authentication, monitoring systems for PowerShell execution and logging its use, auditing administrator and service accounts, implementing the principles of least privileges and reviewing backup strategies to include at least one backup that’s isolated from the enterprise network. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe