Cuba Ransomware Gang Exploits Veeam Vulnerability in Attacks on U.S. Critical Infrastructure

August 20, 2023

The Cuba ransomware gang has been identified in attacks against critical infrastructure organizations in the United States and IT companies in Latin America, utilizing a mix of both new and old tools. BlackBerry's Threat Research and Intelligence team detected the latest campaign in early June 2023. The Cuba ransomware gang is now exploiting CVE-2023-27532 to steal credentials from configuration files. This specific vulnerability affects Veeam Backup & Replication (VBR) products, and an exploit has been available since March 2023. Prior to this, FIN7, a group with multiple known connections to various ransomware operations, was actively exploiting CVE-2023-27532.

BlackBerry's team reports that Cuba's initial point of entry appears to be compromised admin credentials through RDP, and does not involve brute forcing. Subsequently, Cuba's unique custom downloader, known as 'BugHatch', establishes communication with the C2 server and downloads DLL files or executes commands. They gain initial access to the target environment through a Metasploit DNS stager that decrypts and runs shellcode directly in memory. The Cuba ransomware gang uses the increasingly common BYOVD (Bring Your Own Vulnerable Driver) technique to disable endpoint protection tools. They also employ the 'BurntCigar' tool to terminate kernel processes associated with security products.

In addition to the relatively recent Veeam flaw, the Cuba ransomware gang also exploits CVE-2020-1472 (known as 'Zerologon'), a vulnerability in Microsoft's NetLogon protocol, which provides them with privilege escalation against AD domain controllers. During the post-exploitation phase, Cuba has been seen using Cobalt Strike beacons and various 'lolbins'.

BlackBerry emphasizes the clear financial motivation of the Cuba ransomware gang and suggests that the threat group is likely Russian, a theory that has been supported by other cyber-intelligence reports in the past. This assumption is based on the group's exclusion of computers that use a Russian keyboard layout from infections, Russian 404 pages on parts of its infrastructure, linguistic clues, and the group's targeting of Western entities.

The Cuba ransomware remains an active threat approximately four years after its emergence, which is uncommon for ransomware. The inclusion of CVE-2023-27532 in Cuba's targeting scope underscores the importance of promptly installing Veeam security updates and highlights the risk of postponing updates when publicly available PoC (proof-of-concept) exploits are accessible.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.