Threat Research

CACTUS: Analyzing a Coordinated Ransomware Attack on Corporate Networks

Securonix

Bitdefender Labs analyzed a coordinated ransomware operation by the CACTUS group that struck two independent corporate networks within a short window. The campaign combined rapid vulnerability weaponization (CVE-2023-38035), multi-stage credential access and lateral movement, remote access tool chaining, and encryption of workstations, servers, and virtualization hosts. hashtags: #CACTUS #CVE-2023-38035 #IvantiMobileIronSentry #Kinsing #DWService #HyperV #ESXi

Keypoints

  • Two companies within the same group were attacked in a coordinated campaign, with encryption happening in a tight five‑minute window.
  • The initial access leveraged a known vulnerability (CVE-2023-38035) in Ivanti MobileIron Sentry to achieve remote code execution on an internet-exposed server.
  • The attacker/attackers used SECURITY1 as a proxy, conducted SMB brute‑force attempts, installed AnyDesk, and created SSH tunnels to reach VictimA and later VictimB.
  • Credentials were dumped from LSA Secrets and domain admin access was obtained, enabling domain‑level movement and privilege escalation.
  • Ransomware deployment targeted both Windows workstations and virtualization hosts (Hyper-V and ESXi) with two binaries and a custom ESXi variant, encrypting virtual machines and related data.
  • Defense evasion included removing endpoint security, disabling Restricted Admin, and disabling shadow copies via GPO‑driven tasks.
  • Exfiltration occurred to known C2 IPs before encryption, and the operation included long‑range lateral movement, credential theft, and multiple persistence/remote‑access techniques.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability CVE-2023-38035 was exposed and exploited to bypass authentication and enable remote code execution on the administrative interface. Quote: ‘a significant vulnerability (CVE-2023-38035) surfaced— a critical vulnerability … could enable an attacker to bypass authentication controls on the administrative interface due to an inadequately restrictive Apache HTTPD configuration and lead to remote code execution in the context of the root user.’
  • [T1021.001] Remote Services – RDP, AnyDesk, and SSH access were used to move and control access across networks. Quote: ‘With RDP, AnyDesk, and SSH access, this security server functioned as a gateway for their attack on VictimA.’
  • [T1046] Network Service Scanning – PSnmap.ps1 was used to scan ports and gather host details during network discovery. Quote: ‘a custom version of the PSnmap.ps1 script. This tool not only scans for ports 135 (RPC/WMI), 3389 (RDP), 445 (SMB), 443 (HTTPS), and 22 (SSH), but also extracts machine details…’
  • [T1053.005] Scheduled Task – The attackers established multiple scheduled tasks via Group Policy Preferences to manage configurations and persistence. Quote: ‘Three scheduled tasks are established via Group Policy Preferences (GPO) to manage administrative and security configurations on both VictimA and VictimB networks.’
  • [T1003.001] OS Credential Dumping – Credentials were extracted from LSA Secrets and domain controllers, enabling privilege escalation. Quote: ‘extract credentials for the VictimAendpoint account from LSA Secrets’
  • [T1550.002] Pass the Hash – Disabling Restricted Admin mode facilitated logins using NTLM hash for lateral movement. Quote: ‘Disable Restricted Admin mode (to allows logging in with NTLM hash, enabling pass-the-hash attacks)’
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration occurred to known C2 IPs (206.188.196.20 and 64.52.80.252) on ports 22 or 443. Quote: ‘Data exfiltration occurred, as anticipated, prior to the onset of the ransomware attacks. For VictimA, this began on day T+1 and persisted until day T+20… the command and control servers used for exfiltration are known IP addresses: 206.188.196.20 and 64.52.80.252, operating on ports 22 or 443.’
  • [T1486] Data Encrypted for Impact – The CACTUS ransomware encrypted all endpoints, including hypervisors and VMs, with two distinct Windows binaries and ESXi-specific variants. Quote: ‘The CACTUS ransomware encrypts all files except those with the following extensions: exe, dll, lnk, sys, msi, and bat…’
  • [T1021.002] SMB/Windows Admin Shares – Brute force/password spraying attempts on SMB port 445 indicate lateral movement via Windows admin shares. Quote: ‘brute force/password spraying attempts on SMB port 445’

Indicators of Compromise

  • [File] Victim‑related executables – C:windows{Victim ID}.exe, C:Windows{Victim ID}.exe, ./ {Victim ID}, C:WINDOWSso.bat, C:WINDOWSf2.bat, c:windows public syslog.txt, c:users public bk11.ps1, Psnmap.ps1
  • [Hash] Executables and scripts – 39fe99d2250954a0d5ed0e9ff9c41d81, 0e4ee38fe320cfb573a30820198ff442, 8d2e4bef47e3f2ee0195926bbf4a25d5, f7a6d1e6e5436bd3c10f3a26f3e9b9b9, fb467a07f44e8d58e93e3567fd7ff016, be139fc480984eb31de025f25a191035, 08d2c800c93015092e14738c941ac492, 02e4da16377fc85e71a8c8378b2a8a96, 8b37df9d295bbc2906961f72b7cdc5fb, 8af259ad55c3746926e992c82bc7e850, 55e42014424c0d120ff17f11e207e4f0, 5f7c3cda7759ef6e577552ad322c1f64
  • [File] Scripts and config – bk11.ps1, Psnmap.ps1, known_hosts, syslog.txt
  • [IP] Command and control / exfiltration – 206.188.196.20, 64.52.80.252, 162.33.177.56, 45.61.138.99, 45.61.136.79, 45.61.136.127, 85.206.172.127, 192.227.190.11, 154.18.12.125
  • [Domain/URL] Storage/command channels – www.dwservice.net; https://www.dwservice.net/
  • [File] Other artifacts – C:WindowsTempsyslog.txt, C:ProgramDatassh, ssh.exe, libcrypto.dll, known_hosts

Read more: https://www.bitdefender.com/blog/businessinsights/cactus-analyzing-a-coordinated-ransomware-attack-on-corporate-networks/