The CACTUS cybercriminal group targets VPN appliances for initial access and to install a backdoor. Credit: Ugur Akdemir A cybercriminal group has been compromising enterprise networks for the past two months and has been deploying a new ransomware program that researchers dubbed CACTUS. In the attacks seen so far the attackers gained access by exploiting known vulnerabilities in VPN appliances, moved laterally to other systems, and deployed legitimate remote monitoring and management (RMM) tools to achieve persistence on the network.“The name ‘CACTUS’ is derived from the filename provided within the ransom note, cAcTuS.readme.txt, and the self-declared name within the ransom note itself,” researchers with Kroll Cyber Threat Intelligence said in a new report. “Encrypted files are appended with .cts1, although Kroll notes the number at the end of the extension has been observed to vary across incidents and victims. Kroll has observed exfiltration of sensitive data and victim extortion over the peer-to-peer messaging service known as Tox, but a known victim leak site was not identified at the time of analysis.”CACTUS initial intrusion and lateral movementIn all the cases investigated by Kroll, the attackers gain their initial foothold on a VPN appliance using a service account and they then deployed a SSH backdoor that connected back to their command-and-control (C2) server and was executed via a scheduled task.This activity was immediately followed by network reconnaissance using a commercial Windows network scanner made by an Australian company called SoftPerfect. Additional PowerShell commands and scripts were used to enumerate computers on the network and extract user accounts from the Windows Security event log. Another PowerShell-based network scanning script called PSnmap.ps1 has also been observed in some cases. The group then dumps LSASS credentials and searches for local files that might contain passwords to identify accounts that could allow them to jump to other systems via remote desktop protocol (RDP) and other methods. To maintain persistence on the systems they compromised, the attackers deploy RMM tools like Splashtop, AnyDesk, and SuperOps, as well as the Cobalt Strike implant or the Chisel SOCKS5 proxy. The abuse of legitimate RMM tools is a common technique among threat actors.“Chisel assists with tunneling traffic through firewalls to provide hidden communications to the threat actor’s C2 and is likely used to pull additional scripts and tooling onto the endpoint,” the Kroll researchers said. One such script uses the Windows msiexec tool to attempt to uninstall common antivirus programs. In one case the attackers even used the Bitdefender uninstall tool. CACTUS ransomware deploymentOnce the group has identified systems with sensitive data, it uses the Rclone tool to exfiltrate the information to cloud storage accounts and prepares to deploy the ransomware program. To do this it leverages a script called TotalExec.ps1 that has also been used by cybercriminals behind the BlackBasta ransomware.First, the attackers deploy a batch script called f1.bat that creates a new admin user account on the system and adds a secondary script called f2.bat to the system’s autorun list. This script extracts the ransomware binary from a 7zip archive and executes it with a series of flags. The PsExec tool is also used to execute the binary on remote systems.The ransomware binary has three execution modes based on the flags passed to it — setup, configuration and encryption. In setup mode it will create a file called C:ProgramDatantuser.dat that is filled with encrypted configuration data for the ransomware. It then creates a scheduled task that executes the ransomware.When executed with the encryption flag, the ransomware binary will extract and decrypt a hardcoded RSA public key. It then starts generating AES keys for file encryption, and those keys are then encrypted with the RSA public key. The process leverages the Envelope implementation from the OpenSSL library, meaning the resulting encrypted file will also contain the encrypted AES key that was used to encrypt the file. To recover the AES key, the user needs the private RSA key, which is in the attackers’ hands.The Kroll report includes a breakdown of tactics, techniques, and procedures (TTPs) according to the MITRE ATT&CK framework, along with indicators of compromise. The researchers recommend keeping publicly facing systems, such as VPN appliances up to date, implementing password managers and two-factor authentication, monitoring systems for PowerShell execution and logging its use, auditing administrator and service accounts, implementing the principles of least privileges and reviewing backup strategies to include at least one backup that’s isolated from the enterprise network. Related content news Amazon debuts biometric security device, updates Detective and GuardDuty Amazon’s latest security offerings, announced at its re:Invent conference, cover everything from advanced biometrics to new tools for defeating runtime and cloud threats, including identity and access management (IAM) capabilities. By Jon Gold Nov 29, 2023 3 mins Biometrics Security Monitoring Software Threat and Vulnerability Management news Almost all developers are using AI despite security concerns, survey suggests About 96% of developers are using AI tools and nearly eight out of 10 coders are bypassing security policies to use them, while placing unfounded trust into AI’s competence and security, according to the report by Snyk. By John Mello Jr. Nov 29, 2023 4 mins Development Tools Security Practices Supply Chain news FBI probes Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe