December 4, 2023 at 12:00AM
Microsoft alerts of a CACTUS ransomware spread through malvertising, deploying DanaBot for initial access, leading to attacks by the Storm-0216 group. DanaBot’s usage follows law enforcement disrupting QakBot. Recent attacks also exploit Qlik Sense vulnerabilities and a new macOS ransomware called Turtle has emerged.
Clear Takeaways from Meeting Notes on CACTUS Ransomware Attacks and Cybersecurity Threat Intelligence:
1. A new wave of CACTUS ransomware attacks has been identified by Microsoft, involving malvertising tactics to distribute DanaBot as a tool to breach systems.
2. DanaBot is used as an initial access vector, proceeding to hands-on keyboard activity by a ransomware operator known as Storm-0216, also associated with monikers Twisted Spider and UNC2198, resulting in the deployment of CACTUS ransomware.
3. The Microsoft Threat Intelligence team has shared this information via a series of posts on a platform referred to as X (hinted to be formerly known as Twitter).
4. The DanaBot malware, deemed Storm-1044 by Microsoft, is a multifunctional instrument with capabilities similar to other malwares like Emotet, TrickBot, QakBot, and IcedID, able to pilfer data and facilitate further malicious payloads.
5. Cybersecurity company Mandiant, a subsidiary of Google, reported that UNC2198 has a history of employing IcedID for infecting systems to install ransomware variants such as Maze and Egregor, as noted in February 2021.
6. According to Microsoft, the shift from QakBot to DanaBot by threat actors could be in response to a law enforcement operation in August 2023 that dismantled QakBot’s support systems.
7. The current DanaBot campaign, noted starting November, appears to use an exclusive version of the info-stealing malware, rather than earlier versions that were available on a malware-as-a-service basis.
8. The stolen credentials procured through the malware are sent to a server under the control of the malicious actors, initiating a chain of actions that includes lateral movement through RDP (Remote Desktop Protocol) and eventual network access handover to Storm-0216.
9. Arctic Wolf announced another spate of CACTUS ransomware activities that exploit critical vulnerabilities in a data analytics platform known as Qlik Sense to infiltrate corporate networks.
10. Additionally, a new macOS ransomware labeled Turtle has been discovered, written in Go language, signed with an adhoc certificate that prevents immediate execution due to macOS Gatekeeper protections.
Recommendations for follow-up action include bolstering cybersecurity measures to safeguard against RDP breaches, staying informed about malvertising campaigns, and ensuring that systems are protected against the known vulnerabilities that are being exploited by CACTUS ransomware. It may also be prudent to monitor any developments regarding Turtle ransomware for macOS systems.