Rewterz Threat Update – New Cactus Ransomware Exploits VPN Flaws to Infiltrate Networks

Severity

High

Analysis Summary

Researchers discovered Cactus, a new ransomware operation, that has been observed exploiting vulnerabilities in VPN appliances to get early access to targeted networks.

This new strain leverages known vulnerabilities to gain initial access to targeted networks and then utilizes custom scripts to automate the deployment and detonation of the ransomware encryptor. The double extortion tactics used by CACTUS actors add an additional layer of threat to organizations, as they not only face the potential loss of encrypted data but also the exposure of sensitive data stolen prior to encryption.

“Once inside the network, CACTUS actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks,”

The CACTUS ransomware has been observed targeting large commercial entities since March 2023 and is using double extortion tactics to steal sensitive data prior to encryption. This means that the attackers are not only encrypting the victim’s data but also stealing it and threatening to release it publicly if the ransom is not paid.

Following a successful exploitation of vulnerable VPN devices, an SSH backdoor is set up to maintain persistent access, and a series of PowerShell commands are executed to conduct network scanning and identify a list of machines for encryption. This indicates that the attackers are highly skilled and are taking steps to ensure that they can maintain access to the compromised network and locate the most valuable targets for encryption.

CACTUS attacks are utilizing a variety of sophisticated tools and techniques to achieve their objectives. The use of Cobalt Strike and Chisel for command-and-control, as well as RMM software like AnyDesk to push files to infected hosts, highlights the attackers’ ability to evade detection and maintain persistence on the network.

In addition, the attackers are taking steps to disable and uninstall security solutions, as well as extract credentials from web browsers and the LSASS service for escalating privileges. This shows that they are actively looking for ways to evade detection and increase their access to the target network.

Once the attackers have escalated their privileges, they use lateral movement and data exfiltration to identify and steal sensitive data before deploying the ransomware. It’s particularly concerning that the attackers are using a PowerShell script that has also been used by Black Basta, which indicates that they may have shared tactics, techniques, and procedures (TTPs) or may even be the same group.

“CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” According to Associate Managing Director at Kroll, told researchers.

The use of encryption to protect the CACTUS ransomware binary is an example of the evolving tactics used by attackers to avoid detection by security solutions. By encrypting the ransomware binary, the attackers can make it more difficult for security solutions to identify and analyze the malicious code. The use of a batch script to obtain the encryptor binary using 7-Zip is another example of the attacker’s efforts to evade detection. By using legitimate tools like 7-Zip, the attackers can blend in with normal network activity, making it harder for security solutions to detect their activities.

There is still limited information available about the Cactus ransomware operation, including the specific victims they are targeting and their reliability in providing a decryptor if paid. However, it’s clear that the attackers are leveraging vulnerabilities in VPN appliances, particularly those of Fortinet, to gain initial access to targeted networks.

To protect against this type of attack, organizations should prioritize implementing the latest security updates and patches for their VPN appliances and other critical systems. Additionally, they should monitor their networks for signs of intrusion, particularly large data exfiltration tasks that may indicate that sensitive data is being stolen.

Impact

• File Encryption
• Data Theft

Remediation

• Patch vulnerable VPN appliances: One of the primary ways CACTUS gains initial access to networks is by exploiting known vulnerabilities in VPN appliances. Organizations should ensure that they have installed the latest patches and updates for their VPN appliances to mitigate this risk.
• Use multi-factor authentication (MFA): MFA can significantly reduce the risk of unauthorized access to networks and systems, even if an attacker is able to steal a user’s credentials. Organizations should consider implementing MFA for all remote access systems, including VPNs.
• Segment the network: Segmentation can limit the impact of a ransomware attack by preventing the spread of the malware to other parts of the network. Critical systems and data should be isolated from the rest of the network and access should be restricted to authorized users only.
• Use advanced endpoint protection: Advanced endpoint protection solutions that use behavioral analysis and machine learning can detect and respond to ransomware attacks more effectively than traditional antivirus solutions.
• Backup critical data: Regular backups of critical data can help organizations recover from ransomware attacks without having to pay the ransom. It is important to store backups in a secure, off-site location that is not connected to the network to prevent them from being compromised by attackers.
• Conduct regular security assessments: Regular security assessments, including penetration testing and vulnerability scanning, can help organizations identify and remediate vulnerabilities before they can be exploited by attackers.
• By taking these steps, organizations can reduce the risk of a CACTUS ransomware attack and mitigate the impact of such an attack if one occurs. It is also important to have an incident response plan in place that outlines the steps to be taken in the event of a ransomware attack.