Rapid Exploitation and A Coordinated Intrusion from Cactus Ransomware

Bitdefender's analysis of a Cactus ransomware attack provides an insightful look into the attackers' tactics, techniques, and procedures (TTPs), while also detailing the severity of the attack's impact. The incident is characterized by a coordinated assault on two distinct companies, beginning with the exploitation of a vulnerability in Ivanti MobileIron Sentry, tracked as CVE-2023-38035, immediately after its disclosure. This rapid utilization of the vulnerability supports Bitdefender's assessment of the 2024 threat landscape, predicting "the rapid rise of opportunistic ransomware and the growing risk of coordinated attacks." The importance of addressing vulnerabilities, especially those enabling remote code execution (RCE), is highlighted as critical, with Bitdefender asserting that these are likely to be abused for the deployment of a web shell shortly after the 24-hour disclosure window.

Bitdefender describes the relationship between the two impacted organizations, noting that although they belong to the same corporate group, they function autonomously with distinct network infrastructures and domain configurations. Despite their common ownership, there's no direct or formalized digital trust framework linking their operational IT environments, emphasizing their operational independence. During the documented 20-day intrusion, the attackers' initial activities on the first compromised entity (VictimA) involved deploying AnyDesk remote access software, establishing SSH access, and obtaining LSA secrets for credential theft. The attackers' methodical approach is demonstrated by their strategic pause to infiltrate the other network, as noted by Bitdefender.

Abusing available hosts between VictimA and VictimB, along with an ingress route, they pivoted and secured a foothold onto VictimB. Their activities on VictimB were not fully explored until they completed their objectives on VictimA. Utilizing SMB (Server Message Block) connections allowed the attackers to identify and exploit shared resources between the companies. By day 10 of the intrusion from the first observed sign of lateral movement, they completed their objectives on VictimA, including credential theft using a script (bk11.ps1) that extracted sensitive data. This set the stage for their pivot to VictimB, where they initiated scans with a custom PSnmap.ps1 script to identify exploitable machines. By day 12, they had compromised two high-value administrative machines, furthering their attack capabilities.

The attackers' intrusion resumed on the 15th day with further data exfiltration, extracting high-value information and compressing it within a zip archive. Preparations for the culmination of the Cactus ransomware attack occurred on the 19th and into the 20th day, with critical steps including deploying scheduled tasks through Group Policies, disrupting hypervisor access to initiate the encryption of virtual machines across environments differing in virtualization technology—Hyper-V for VictimA and VMware ESXi for VictimB. The operation progressed from resetting passwords on hypervisor hosts, removing endpoint security measures, to executing PsExec for widespread encryption.

The valuable insight provided by Bitdefender helps to reveal key adversary behaviors leading to the completion of their objectives. Since its emergence in March 2023, the Cactus ransomware-as-a-service (RaaS) has proven to be a persistent threat to organizations by exploiting both technological vulnerabilities and compromised credentials for initial access. This breadth of attack capabilities, as detailed in Cisco Talos's Q4 2023 report, emphasizes the adaptability and evolving nature of threat actors.