New Ransomware CACTUS Exploits VPN Vulnerabilities in Ongoing Cyber Attacks
Cybersecurity researchers have identified a new strain of ransomware, dubbed CACTUS, which exploits known vulnerabilities in VPN appliances to gain entry into targeted networks. This ransomware variant has primarily targeted large commercial enterprises since its emergence in March 2023.
Upon infiltration, actors behind CACTUS systematically enumerate local and network user accounts while identifying accessible endpoints. Subsequently, they establish new user accounts and employ customized scripts to automate the deployment and execution of the ransomware encryptor through scheduled tasks. Kroll, in its analysis shared with The Hacker News, emphasized the sophisticated methods employed by these attackers.
The CACTUS ransomware employs double extortion tactics, undermining the integrity of sensitive data before encrypting it. To date, no dedicated data leak sites associated with these attacks have been identified, raising concerns about the potential consequences for the business operations of affected entities.
Following the successful compromise of vulnerable VPN devices, attackers implement an SSH backdoor for persistent access while executing a series of PowerShell commands. These commands facilitate network scans, directing the attackers to potential targets within the system hierarchy. The use of tools such as Cobalt Strike and Chisel for command-and-control operations enhances the ransomware’s effectiveness, enabling remote monitoring and file manipulation tactics.
In addition, the attackers take deliberate measures to disable security solutions and extract stored credentials from web browsers, as well as from the Local Security Authority Subsystem Service (LSASS). These actions are indicative of privilege escalation strategies that allow attackers to move laterally across the network. Following this, data exfiltration occurs alongside malware deployment, all orchestrated through a PowerShell script previously utilized by known ransomware groups.
A notable and technical aspect of CACTUS is its use of a batch script to extract the ransomware binary via 7-Zip, quickly deleting the archive post-extraction before launching the payload. This self-encrypting technique enhances stealth, allowing the ransomware to evade detection by traditional antivirus and monitoring systems.
Experts underscore that CACTUS’s exploitation of a popular VPN vulnerability illustrates a persistent threat trend, where cybercriminals increasingly target remote access services and unpatched vulnerabilities to gain initial access. This warning coincides with another ransomware called Rapture, recently identified by Trend Micro. Rapture shares some characteristics with older ransomware families, showing an evolution in attack methodologies that increasingly emphasize obfuscation and stealth.
The intrusion pathways for CACTUS attacks often stem from exposed public-facing websites and servers, highlighting the imperative for businesses to maintain current systems and proactive security postures. The use of widely available tools by attackers suggests that, while the resources may be common, their deployment reflects a notably skilled approach to enhancement, rendering the ransomware more difficult to analyze and counter.
In summary, the emergence of CACTUS, along with the ongoing threats posed by ransomware families like Rapture, presents a significant challenge for organizations striving to protect their data. Business owners are urged to bolster their defenses against evolving attack vectors, particularly those targeting established vulnerabilities in widely used network appliances. Utilizing the MITRE ATT&CK framework informs analyses of tactics such as initial access, persistence, and privilege escalation that underpin these sophisticated threats.