Cybersecurity researchers have shed light on a new ransomware strain called CACTUS that was found to take advantage of known flaws in VPN appliances to gain initial access to targeted networks.
“Once inside a network, CACTUS attackers enumerate local and network user accounts in addition to reachable endpoints, then create new user accounts, leverage custom scripts, and perform scheduled We will attempt to automate the deployment and launch of ransomware encryption tools via custom tasks,” Kroll said in the report. Share with Hacker News.
This ransomware has been observed targeting large commercial entities since March 2023, with attacks employing double extortion tactics to steal sensitive data prior to encryption. . Currently, no information leak site has been confirmed.
Successful exploitation of a vulnerable VPN device sets up an SSH backdoor to maintain persistent access and runs a series of PowerShell commands to scan the network and identify a list of machines to be encrypted. increase.
The CACTUS attack also leverages Cobalt Strike and a tunneling tool called Chisel for command and control, using remote monitoring and management (RMM) software such as AnyDesk to push files to infected hosts.
It also performs steps to disable and uninstall security solutions and extract credentials from web browsers and the Local Security Authority Subsystem Service (LSASS) to escalate privileges.
Escalation of authority is followed by lateral movement, data exfiltration, and ransomware deployment. The final is done by a PowerShell script that was also used in Black Basta.
A novel aspect of CACTUS is that it uses a batch script to extract the ransomware binaries with 7-Zip and delete the .7z archive before executing the payload.
“CACTUS essentially encrypts itself, making it difficult to detect and helps evade antivirus and network monitoring tools,” said Laurie Iacono, associate managing director of cyber risk at Kroll The Hacker. Tells News.
“This new ransomware variant, named CACTUS, takes advantage of vulnerabilities in popular VPN appliances, and attackers continue to target unpatched vulnerabilities in remote access services and initial access. It shows that
The development comes days after Trend Micro shed light on another type of ransomware known as Rapture, which has some similarities to other families such as Paradise.
“The entire infection chain is 3 to 5 days at most,” the company said, deploying Cobalt Strike following initial reconnaissance and using it to drop .NET-based ransomware.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
Intrusions are believed to occur through publicly exposed and vulnerable websites and servers, so companies take steps to keep systems up to date and enforce the principle of least privilege (PoLP) is essential.
“Operators are using readily available tools and resources, but have successfully used them in ways that enhance Rapture’s capabilities by making it more stealthy and more difficult to analyze,” Trend Micro said. I am.”
CACTUS and Rapture are just the latest addition to the long list of new ransomware families that have come to light in recent weeks. gazpromBlackbit, Uniza, Akiraand a NoCry ransomware variant called Kadavro Vector.
