The CACTUS cybercriminal group targets VPN appliances for initial access and to install a backdoor. Credit: Ugur Akdemir A cybercriminal group has been compromising enterprise networks for the past two months and has been deploying a new ransomware program that researchers dubbed CACTUS. In the attacks seen so far the attackers gained access by exploiting known vulnerabilities in VPN appliances, moved laterally to other systems, and deployed legitimate remote monitoring and management (RMM) tools to achieve persistence on the network.“The name ‘CACTUS’ is derived from the filename provided within the ransom note, cAcTuS.readme.txt, and the self-declared name within the ransom note itself,” researchers with Kroll Cyber Threat Intelligence said in a new report. “Encrypted files are appended with .cts1, although Kroll notes the number at the end of the extension has been observed to vary across incidents and victims. Kroll has observed exfiltration of sensitive data and victim extortion over the peer-to-peer messaging service known as Tox, but a known victim leak site was not identified at the time of analysis.”CACTUS initial intrusion and lateral movementIn all the cases investigated by Kroll, the attackers gain their initial foothold on a VPN appliance using a service account and they then deployed a SSH backdoor that connected back to their command-and-control (C2) server and was executed via a scheduled task. This activity was immediately followed by network reconnaissance using a commercial Windows network scanner made by an Australian company called SoftPerfect. Additional PowerShell commands and scripts were used to enumerate computers on the network and extract user accounts from the Windows Security event log. Another PowerShell-based network scanning script called PSnmap.ps1 has also been observed in some cases. The group then dumps LSASS credentials and searches for local files that might contain passwords to identify accounts that could allow them to jump to other systems via remote desktop protocol (RDP) and other methods. To maintain persistence on the systems they compromised, the attackers deploy RMM tools like Splashtop, AnyDesk, and SuperOps, as well as the Cobalt Strike implant or the Chisel SOCKS5 proxy. The abuse of legitimate RMM tools is a common technique among threat actors.“Chisel assists with tunneling traffic through firewalls to provide hidden communications to the threat actor’s C2 and is likely used to pull additional scripts and tooling onto the endpoint,” the Kroll researchers said. One such script uses the Windows msiexec tool to attempt to uninstall common antivirus programs. In one case the attackers even used the Bitdefender uninstall tool. CACTUS ransomware deploymentOnce the group has identified systems with sensitive data, it uses the Rclone tool to exfiltrate the information to cloud storage accounts and prepares to deploy the ransomware program. To do this it leverages a script called TotalExec.ps1 that has also been used by cybercriminals behind the BlackBasta ransomware.First, the attackers deploy a batch script called f1.bat that creates a new admin user account on the system and adds a secondary script called f2.bat to the system’s autorun list. This script extracts the ransomware binary from a 7zip archive and executes it with a series of flags. The PsExec tool is also used to execute the binary on remote systems.The ransomware binary has three execution modes based on the flags passed to it — setup, configuration and encryption. In setup mode it will create a file called C:ProgramDatantuser.dat that is filled with encrypted configuration data for the ransomware. It then creates a scheduled task that executes the ransomware. When executed with the encryption flag, the ransomware binary will extract and decrypt a hardcoded RSA public key. It then starts generating AES keys for file encryption, and those keys are then encrypted with the RSA public key. The process leverages the Envelope implementation from the OpenSSL library, meaning the resulting encrypted file will also contain the encrypted AES key that was used to encrypt the file. To recover the AES key, the user needs the private RSA key, which is in the attackers’ hands.The Kroll report includes a breakdown of tactics, techniques, and procedures (TTPs) according to the MITRE ATT&CK framework, along with indicators of compromise. The researchers recommend keeping publicly facing systems, such as VPN appliances up to date, implementing password managers and two-factor authentication, monitoring systems for PowerShell execution and logging its use, auditing administrator and service accounts, implementing the principles of least privileges and reviewing backup strategies to include at least one backup that’s isolated from the enterprise network. Related content feature How to choose the right network security monitoring product Network security monitoring software is essential because it enhances security by detecting threats in real time and ensures operational efficiency by minimizing downtime and optimizing performance. Here’s what to look for. By Linda Rosencrance May 27, 2024 8 mins Security Monitoring Software Data and Information Security Network Security opinion The art of saying no is a powerful tool for the CISO in the era of AI Who says you need to rush to adopt every innovation that comes along just because everyone is doing it? Sometimes hitting the brakes on emerging tech is the best course for a business. By Clarke Rodgers May 27, 2024 5 mins CSO and CISO Security Practices IT Leadership news Chrome patches fourth zero-day flaw this month Brings the total number of Chrome zero-day flaws patched in 2024 to eight. By Lucian Constantin May 27, 2024 3 mins Browser Security Zero-day vulnerability Vulnerabilities news Kroll cyber threat landscape report: AI assists attackers AI is simplifying all sorts of tasks — and not always for the better: cybercriminals, too, are adopting it. By Lynn Greiner May 24, 2024 4 mins Threat and Vulnerability Management Cybercrime Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe