CACTUS Ransomware Exploits VPN Flaws to Infiltrate Corporate Networks
CACTUS Ransomware Exploits VPN Flaws to Infiltrate Corporate Networks
New Ransomware Strain ‘CACTUS’ Exploits VPN Vulnerabilities
Cactus ransomware binary execution flow
source: Kroll
Security researchers have uncovered a new strain of ransomware dubbed CACTUS that exploits known vulnerabilities in VPN appliances to infiltrate targeted networks. CACTUS has been observed targeting large commercial entities since March 2023 and employs double extortion tactics to steal sensitive data prior to encryption. The ransomware has not yet been observed using a data leak site.
Once inside a network, CACTUS actors attempt to enumerate user accounts and reachable endpoints before creating new accounts and using custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks. The malware also sets up an SSH backdoor for persistent access, uses PowerShell commands to conduct network scanning and identify machines for encryption, and leverages Cobalt Strike and the Chisel tunneling tool for command-and-control.
To evade detection, CACTUS uses a batch script to extract the ransomware binary with 7-Zip, followed by removing the .7z archive before executing the payload. “CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” said Laurie Iacono, associate managing director for cyber risk at Kroll.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Rapture Uses Similar Tactics to Paradise and Targets Public-Facing Websites
In addition to CACTUS, another new ransomware strain called Rapture has recently emerged. Rapture has been found to use similar tactics to other ransomware families such as Paradise, with the entire infection chain lasting only three to five days. Trend Micro, which uncovered Rapture, suspects that the intrusion is facilitated through vulnerable public-facing websites and servers.
Trending: Malware Analysis Tool: retoolkit
New Ransomware Strains Underscore the Importance of Cybersecurity Measures
As new ransomware strains like CACTUS and Rapture continue to target vulnerable systems, cybersecurity researchers stress the importance of keeping systems up-to-date and enforcing the principle of least privilege (PoLP). CACTUS, which exploits known vulnerabilities in VPN appliances, has been observed targeting large commercial entities since March 2023, while Rapture uses similar tactics to other ransomware families and is suspected to infiltrate systems through vulnerable public-facing websites and servers. Laurie Iacono, associate managing director for cyber risk at Kroll, warns that threat actors are targeting remote access services and unpatched vulnerabilities for initial access, making it imperative for companies to implement proper cybersecurity measures.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: info@blackhatethicalhacking.com
Source: thehackernews.com
The post CACTUS Ransomware Exploits VPN Flaws to Infiltrate Corporate Networks first appeared on Black Hat Ethical Hacking.
About The Author
