12 May 2023

7 min read

CACTUS ransomware group targets victims with triple extortion tactics | Cyber Intelligence Briefing: 12 May

May 2023
CACTUS ransomware group targets victims with triple extortion tactics | Cyber Intelligence Briefing: 12 May placeholder thumbnail


Top news stories this week

  1. Prickly. CACTUS ransomware group targets victims with triple extortion tactics.
  2. Operation Medusa. NCSC and FBI lead takedown of Russian Snake malware infrastructure.
  3. Law enforcement bytes back. US Department of Justice and National Police of Spain crackdown.
  4. Patch o’clock. Microsoft addresses three zero-day vulnerabilities and Iranian nation state group exploits unpatched PaperCut vulnerability.
  5. A tale of two breaches. NextGen Healthcare and Sysco suffer data breaches.
  6. TechnologyOne breached. Australian trading platform hit by cyber attack.
  7. NodeStealer malware. Meta disrupts new information-stealing malware.


1. New ransomware group alert: CACTUS

A new ransomware group dubbed CACTUS has emerged, targeting organisations by exploiting Fortinet VPN vulnerabilities. CACTUS uses a unique method of encrypting its ransomware binary, making its detection by antivirus and network monitoring tools more challenging.

S-RM’s Incident Response Team has also observed an increase in CACTUS ransomware cases with the following tactics being witnessed:

  • Exploitation of vulnerabilities affecting Zoho ManageEngine products to gain initial network access.
  • The employment of triple extortion. In addition to encrypting and stealing victims’ data, CACTUS directly communicates with relevant stakeholders to increase the perceived urgency of ransom demands.

So what?

Organisations using Fortinet VPN clients and ManageEngine’s products should update any vulnerable software immediately and review unpatched systems for signs of compromise.



New call-to-action


2. NCSC and FBI lead takedown of Snake malware infrastructure

The National Cyber Security Centre (NCSC) and FBI have led the takedown of the Snake malware infrastructure. The Snake malware, which has been attributed to Russia's Federal Security Service (FSB), gave operators the ability to steal sensitive documents and information from infected devices.

So what?

Organisations should follow CISA's advisory to help detect Snake malware infections.



3. International crackdown on cyber crime

The US Department of Justice has taken down 13 domains used to facilitate DDoS-for-hire services. DDoS attacks allow attackers to flood a website with malicious traffic to the point that they are unable to respond. 10 of the seized domains were revived versions of similar sites captured by the FBI in December 2022.

Separately, the National Police of Spain arrested over 40 individuals in connection with a cyber crime operation that defrauded 300,000 people of an estimated EUR 700,000 through email and SMS-based phishing attacks.

So what?

Whilst law enforcement has made substantial victories in the fight against cyber crime, DDoS-for-hire websites and large-scale phishing scams are likely to reappear. User awareness training and analysing traffic patterns for DDoS are helpful in mitigating these risks.




4. Patch Tuesday and PaperCut vulnerability continues to be exploited 

Microsoft has patched 38 vulnerabilities, including three zero-day vulnerabilities. Threat actors are actively exploiting two of the zero-day vulnerabilities, allowing them to conduct privilege escalation and remote code execution attacks.

Separately, the Iranian-backed group Mango Sandstorm is exploiting unpatched systems containing the PaperCut vulnerability (CVE-2023-27350). This is despite the print management company releasing urgent patches to mitigate attacks.

So what?

Threat actors use known vulnerabilities to guarantee the success of their attacks. Timely identification and deployment of patches is crucial in protecting your organisation against widely exploited vulnerabilities.




5. NextGen Healthcare and Sysco experience data breaches

NextGen Healthcare has confirmed a recent data breach affecting 1 million patients. NextGen confirmed that the incident did not impact any health or medical data. The company has also provided victims with fraud detection and identity theft protection.

Sysco, a leading global food distribution company, also confirmed a security breach where attackers stole sensitive business, customer, and employee data. Business operations and customer service reportedly remain unaffected.

So what?

It is vital that organisations understand and track the data types they store and process. Organisations should classify their data assets by sensitivity to help assign appropriate security controls and access restrictions.




6. Australian trading platform hit with cyber attack

TechnologyOne, an Australian provider of enterprise resource planning (ERP), has reported a cyber security incident involving unauthorised access to its Microsoft 365 platform. TechnologyOne has requested a trading halt, which it expects to lift by the end of the week.

So what?

Organisations should maintain stringent security measures to prevent users from being compromised, including enabling multi-factor authentication, monitoring account activity, and conducting regular phishing awareness training.




7. Meta defuses new NodeStealer malware

Meta has disrupted the operation behind the new information-stealing malware, NodeStealer. The malware allowed threat actors to hijack accounts by stealing browser information, usernames, and passwords. Due to the way the malware is executed, online malware scanning tools failed to identify it as malicious.

So what?

Organisations should be proactive when threat hunting and not solely rely on pre-existing malware detections.


Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Miles Arkwright
Miles Arkwright
Associate, Cyber Security
James Tytler
James Tytler
Associate, Cyber Security

James Tytler is a cyber security associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Miles Arkwright
Miles Arkwright

Associate, Cyber Security

James Tytler
James Tytler

Associate, Cyber Security

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.