A group of cybercriminals has been compromising business networks for the past two months and has been deploying a new ransomware program that researchers have dubbed CACTUS. In the attacks observed so far, attackers gained access by exploiting known vulnerabilities in VPN devices, laterally moved to other systems, and deployed legitimate remote monitoring and management (RMM) tools to achieve network persistence.
“The name ‘CACTUS’ is derived from the filename provided in the ransom note, cAcTuS.readme.txt, and the self-declared name within the ransom note itself,” Kroll Cyber Threat Intelligence researchers said in a new report “Encrypted files are appended with .cts1, although Kroll notes that the number at the end of the extension has been observed to vary by incident and victim. Kroll has observed exfiltration of sensitive data and extortion of victims through the known peer-to-peer messaging service. as in Tox, but at the time of analysis no known victim leak site was identified.”
CACTUS initial intrusion and lateral movement
In all of the cases investigated by Kroll, the attackers initially approached a VPN device using a service account and then deployed an SSH backdoor that connected back to their command and control server (C2) and executed by a scheduled task. .
This activity was immediately followed by a network scan using a commercial Windows network scanner made by an Australian company called SoftPerfect. Additional PowerShell commands and scripts were used to enumerate computers on the network and extract user accounts from the Windows Security Event Log. Another PowerShell-based network scanning script called PSnmap.ps1 has also been observed in some cases.
The group then dumps the LSASS credentials and looks for local files that might contain passwords to identify accounts that would allow them to break into other systems using Remote Desktop Protocol (RDP) and other methods. To maintain persistence on compromised systems, attackers deploy RMM tools such as Splashtop, AnyDesk, and SuperOps, as well as the Cobalt Strike implant or the Chisel SOCKS5 proxy. Abuse of legitimate RMM tools is a common technique among threat actors.
“Chisel helps tunnel traffic through firewalls to provide covert communications to the threat actor’s C2 and is likely used to introduce additional scripts and tools to the endpoint,” Kroll researchers said. One such script uses the Windows msiexec tool to attempt to uninstall common antivirus programs. In one case, the attackers even used Bitdefender’s uninstall tool.
CACTUS ransomware deployment
Once the group has identified systems with sensitive data, it uses the Rclone tool to exfiltrate information into cloud storage accounts and prepares to deploy the ransomware. To do this, it takes advantage of a script called TotalExec.ps1 that has also been used by the cybercriminals behind the BlackBasta ransomware.
First, the attackers deploy a batch script named f1.bat that creates a new administrator user account on the system and adds a secondary script named f2.bat to the system’s autorun list. This script extracts the ransomware binary from a 7zip archive and executes it with a series of flags. The PsExec tool is also used to execute the binary on remote systems.
The ransomware binary has three execution modes based on the flags passed to it: configuration, configuration, and encryption. In setup mode, it will create a file called C:ProgramDatantuser.dat which is full of encrypted configuration data for the ransomware. It then creates a scheduled task that runs the ransomware.
When run with the encryption flag, the ransomware binary will extract and decrypt a hard-coded RSA public key. It then starts generating AES keys for file encryption and these keys are encrypted with the RSA public key. The process leverages the Envelope implementation of the OpenSSL library, meaning the resulting encrypted file will also contain the encrypted AES key that was used to encrypt the file. To recover the AES key, the user needs the RSA private key, which is in the hands of the attackers.
The Kroll report includes a breakdown of tactics, techniques and procedures (TTPs) according to the MITER ATT&CK framework, along with engagement indicators. The researchers recommend keeping public systems such as VPN appliances up to date, implementing password managers and two-factor authentication, monitoring systems for running PowerShell and logging its use, auditing administrator accounts, and of the service, implement the principles of least privilege and review the backup. strategies to include at least one isolated backup of the enterprise network.
Copyright © 2023 IDG Communications, Inc.
Source link
A new kind of ransomware known as CACTUS has been discovered by security researchers, demonstrating the sophisticated nature of ransomware today. CACTUS exploits the vulnerability of remote management tools to achieve persistence inside vulnerable networks, potentially allowing it to silently amass large sums of money.
The new ransomware uses extensive anti-analysis capabilities and incorporates multiple layers of encryption to prevent any possible connection to the C&C, or Command and Control, server. It is also able to detect and manipulate the aforementioned remote management tools to achieve persistence.
Due to its ability to establish persistent, encrypted access, CACTUS poses a huge threat. The ransomware was discovered by researchers at Ikaroa, a full-stack tech company that is dedicated to offering the highest level of security protections for enterprises. Ikaroa’s experts have advised enterprises to ensure that all security patches for their remote management tools and other business systems are up to date, as well as making sure their networks are properly configured and monitored.
Ikaroa’s security solutions can offer organisations the protection they need to address the threats of CACTUS. Through regular and thorough scans, Ikaroa can detect any potential signs of CACTUS, then alert and/or block it before it can execute its attack.
Finally, organisations should review their security policies and ensure that all security measures are up-to-date, as CACTUS is an ever-evolving threat that requires constant vigilance. This ransomware is even more dangerous and difficult to get rid of than the average ransomware attack due to its ability to access the command and control server.
Organisations that are interested in protecting their networks against CACTUS, and any other ransomware attack, should contact Ikaroa and take advantage of our comprehensive security solutions. Our qualified security experts can provide the best security systems and services to keep any business safe and secure.
