Cuba Ransomware Gang Exploits Veeam Vulnerability in Attacks on U.S. Critical Infrastructure
August 20, 2023
The Cuba ransomware gang has been identified in attacks against critical infrastructure organizations in the United States and IT companies in Latin America, utilizing a mix of both new and old tools. BlackBerry's Threat Research and Intelligence team detected the latest campaign in early June 2023. The Cuba ransomware gang is now exploiting CVE-2023-27532 to steal credentials from configuration files. This specific vulnerability affects Veeam Backup & Replication (VBR) products, and an exploit has been available since March 2023. Prior to this, FIN7, a group with multiple known connections to various ransomware operations, was actively exploiting CVE-2023-27532.
BlackBerry's team reports that Cuba's initial point of entry appears to be compromised admin credentials through RDP, and does not involve brute forcing. Subsequently, Cuba's unique custom downloader, known as 'BugHatch', establishes communication with the C2 server and downloads DLL files or executes commands. They gain initial access to the target environment through a Metasploit DNS stager that decrypts and runs shellcode directly in memory. The Cuba ransomware gang uses the increasingly common BYOVD (Bring Your Own Vulnerable Driver) technique to disable endpoint protection tools. They also employ the 'BurntCigar' tool to terminate kernel processes associated with security products.
In addition to the relatively recent Veeam flaw, the Cuba ransomware gang also exploits CVE-2020-1472 (known as 'Zerologon'), a vulnerability in Microsoft's NetLogon protocol, which provides them with privilege escalation against AD domain controllers. During the post-exploitation phase, Cuba has been seen using Cobalt Strike beacons and various 'lolbins'.
BlackBerry emphasizes the clear financial motivation of the Cuba ransomware gang and suggests that the threat group is likely Russian, a theory that has been supported by other cyber-intelligence reports in the past. This assumption is based on the group's exclusion of computers that use a Russian keyboard layout from infections, Russian 404 pages on parts of its infrastructure, linguistic clues, and the group's targeting of Western entities.
The Cuba ransomware remains an active threat approximately four years after its emergence, which is uncommon for ransomware. The inclusion of CVE-2023-27532 in Cuba's targeting scope underscores the importance of promptly installing Veeam security updates and highlights the risk of postponing updates when publicly available PoC (proof-of-concept) exploits are accessible.
Related News
- New BlackCat Ransomware Variant Incorporates Advanced Impacket and RemCom Tools
- Chinese APT15 Revives for Espionage on Foreign Ministries
- FIN7 Cyber Gang Resurfaces with Cl0p Ransomware in New Wave of Attacks
- BianLian Ransomware Group Targets Critical Infrastructure Organizations
- FIN7 Hackers Exploit Veeam Backup & Replication Vulnerability
Latest News
- LabRat Operation: Cryptomining Campaign Uses TryCloudflare to Conceal Infrastructure
- New BlackCat Ransomware Variant Incorporates Advanced Impacket and RemCom Tools
- Global Phishing Campaign Targets Zimbra Email Servers
- Google's AI Integration into Fuzz Testing Yields Significant Results
- Play Ransomware Group Launches Global Campaign Against MSPs
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.