Image: Kevin Lanceplaine (unsplash)
The Cuba ransomware group has been detected attacking crucial infrastructure institutions in the United States and IT corporations in Latin America, utilizing a mix of both longstanding and emerging methods.
The Threat Research and Intelligence team at BlackBerry, who identified the recent wave in the early days of June 2023, has revealed that Cuba is now using CVE-2023-27532 to extract credentials from configuration databases.
This specific vulnerability has repercussions for Veeam Backup & Replication (VBR) products, with an exploit being publicly accessible since March 2023.
Earlier on, WithSecure announced that FIN7, an organization linked to various ransomware activities, was proactively leveraging CVE-2023-27532.
Cuba Attack Synopsis
According to BlackBerry, Cuba’s primary method of access seems to be through compromised administrative credentials via RDP, without the use of brute force.
Following that, Cuba’s distinctive custom downloader, named ‘BugHatch’, establishes a link with the C2 server, downloading DLL files or initiating specific commands.
The initial breach in the targeted system is secured using a Metasploit DNS stager, which decrypts and initiates shellcode directly in the device’s memory.
Cuba employs the increasingly prevalent BYOVD (Bring Your Own Vulnerable Driver) method to disable endpoint security instruments. In addition, the group makes use of the ‘BurntCigar’ utility to shut down kernel operations linked to security solutions.
Beyond the recent Veeam vulnerability, Cuba also targets CVE-2020-1472, known as “Zerologon”, a flaw in Microsoft’s NetLogon protocol. This allows the group to escalate their privileges against AD domain controllers.
During the post-infiltration stage, the Cuba group was detected utilizing Cobalt Strike beacons along with several “lolbins.”
Cuba’s Ongoing Activity
BlackBerry emphasizes the evident financial incentives driving the Cuba ransomware group’s actions. They have also made observations hinting at the group’s non-Western origins based on certain linguistic markers and a primary focus on Western targets.
In summary, the Cuba ransomware poses a significant and persistent menace, an uncommon trait for ransomware operations that have been around for roughly four years.
The incorporation of CVE-2023-27532 into Cuba’s arsenal underscores the importance of swiftly applying Veeam’s security patches. It also accentuates the potential risks of postponing updates, especially when proof-of-concept exploits are openly accessible.