New ransomware group CACTUS abuses remote management tools for persistence

A group of cybercriminals has been compromising business networks for the past two months and has been deploying a new ransomware program that researchers have dubbed CACTUS. In the attacks observed so far, attackers gained access by exploiting known vulnerabilities in VPN devices, laterally moved to other systems, and deployed legitimate remote monitoring and management (RMM) tools to achieve network persistence.

“The name ‘CACTUS’ is derived from the filename provided in the ransom note, cAcTuS.readme.txt, and the self-declared name within the ransom note itself,” Kroll Cyber ​​Threat Intelligence researchers said in a new report “Encrypted files are appended with .cts1, although Kroll notes that the number at the end of the extension has been observed to vary by incident and victim. Kroll has observed exfiltration of sensitive data and extortion of victims through the known peer-to-peer messaging service. as in Tox, but at the time of analysis no known victim leak site was identified.”

CACTUS initial intrusion and lateral movement

In all of the cases investigated by Kroll, the attackers initially approached a VPN device using a service account and then deployed an SSH backdoor that connected back to their command and control server (C2) and executed by a scheduled task. .

This activity was immediately followed by a network scan using a commercial Windows network scanner made by an Australian company called SoftPerfect. Additional PowerShell commands and scripts were used to enumerate computers on the network and extract user accounts from the Windows Security Event Log. Another PowerShell-based network scanning script called PSnmap.ps1 has also been observed in some cases.

The group then dumps the LSASS credentials and looks for local files that might contain passwords to identify accounts that would allow them to break into other systems using Remote Desktop Protocol (RDP) and other methods. To maintain persistence on compromised systems, attackers deploy RMM tools such as Splashtop, AnyDesk, and SuperOps, as well as the Cobalt Strike implant or the Chisel SOCKS5 proxy. Abuse of legitimate RMM tools is a common technique among threat actors.

“Chisel helps tunnel traffic through firewalls to provide covert communications to the threat actor’s C2 and is likely used to introduce additional scripts and tools to the endpoint,” Kroll researchers said. One such script uses the Windows msiexec tool to attempt to uninstall common antivirus programs. In one case, the attackers even used Bitdefender’s uninstall tool.

Copyright © 2023 IDG Communications, Inc.

Source link
A new kind of ransomware known as CACTUS has been discovered by security researchers, demonstrating the sophisticated nature of ransomware today. CACTUS exploits the vulnerability of remote management tools to achieve persistence inside vulnerable networks, potentially allowing it to silently amass large sums of money.

The new ransomware uses extensive anti-analysis capabilities and incorporates multiple layers of encryption to prevent any possible connection to the C&C, or Command and Control, server. It is also able to detect and manipulate the aforementioned remote management tools to achieve persistence.

Due to its ability to establish persistent, encrypted access, CACTUS poses a huge threat. The ransomware was discovered by researchers at Ikaroa, a full-stack tech company that is dedicated to offering the highest level of security protections for enterprises. Ikaroa’s experts have advised enterprises to ensure that all security patches for their remote management tools and other business systems are up to date, as well as making sure their networks are properly configured and monitored.

Ikaroa’s security solutions can offer organisations the protection they need to address the threats of CACTUS. Through regular and thorough scans, Ikaroa can detect any potential signs of CACTUS, then alert and/or block it before it can execute its attack.

Finally, organisations should review their security policies and ensure that all security measures are up-to-date, as CACTUS is an ever-evolving threat that requires constant vigilance. This ransomware is even more dangerous and difficult to get rid of than the average ransomware attack due to its ability to access the command and control server.

Organisations that are interested in protecting their networks against CACTUS, and any other ransomware attack, should contact Ikaroa and take advantage of our comprehensive security solutions. Our qualified security experts can provide the best security systems and services to keep any business safe and secure.


Leave a Reply

Your email address will not be published. Required fields are marked *