Cuba Ransomware Group’s Sophisticated Cyberattack Techniques Unveiled

August 22, 2023

The Cuba ransomware group, a Russian threat actor, launched an unsuccessful cyberattack on an organization servicing US critical infrastructure in June. The group, known for its high-profile ransomware attacks, used a combination of multiple CVEs, commercial tools, unique malware, and evasion techniques. In this particular campaign, discovered by Blackberry, it targeted a US critical infrastructure provider and a systems integrator in Latin America. The group exploited two vulnerabilities, CVE-2020-1472 'Zerologon' and CVE-2023-27532, and deployed two of its signature malwares, BUGHATCH and BURNTCIGAR, along with commercial software programs Metasploit and Cobalt.

The attack was first detected in May when an administrator-level login was performed using Remote Desktop Protocol (RDP). There were no signs of previous failed login attempts or brute-forcing. The method used by the attacker to obtain valid credentials remains unknown, but Blackberry researchers have previously observed Cuba using initial access brokers for this purpose. After gaining access, Cuba deployed BUGHATCH, a custom downloader that establishes a connection to a command-and-control (C2) server and downloads attacker payloads. In this instance, one of the payloads downloaded was Metasploit, which was used to solidify the group's foothold in the target environment.

To escalate privileges and gain administrator access, the group exploited Zerologon, a three-year-old vulnerability in Windows' Netlogon Remote Protocol. In addition, they exploited a high-severity bug in the Veeam backup software to extract credentials from its config file. BURNTCIGAR, Cuba's second proprietary malware, was used to execute Bring Your Own Vulnerable Driver (BYOVD) attacks. This malware terminates kernel-level processes en masse by exploiting the I/O control codes used for communication with drivers.

The group also took measures to avoid detection, moving slowly and deliberately over a period of two months within the network. Since its discovery in 2019, Cuba has been one of the most profitable ransomware outfits in the world. According to data from CISA, as of August 2022, the group had compromised 101 entities, 65 in the US and 36 in other countries, demanding a total of $145 million in ransom payments and receiving around $60 million. Despite using Cuban Revolution references and iconography in its code and leak site, evidence suggests the group is of Russian origin.

To defend against the Cuba ransomware group, organizations are advised to focus on detection technologies, timely and possibly automated patching, and investment in advanced threat intelligence. If these measures fail, immediate and decisive action is necessary to prevent significant losses.

Related News

• Cuba Ransomware Gang Exploits Veeam Vulnerability in Attacks on U.S. Critical Infrastructure
• New BlackCat Ransomware Variant Incorporates Advanced Impacket and RemCom Tools
• Chinese APT15 Revives for Espionage on Foreign Ministries
• FIN7 Cyber Gang Resurfaces with Cl0p Ransomware in New Wave of Attacks
• BianLian Ransomware Group Targets Critical Infrastructure Organizations

Latest News

• CISA Adds Critical Adobe ColdFusion Vulnerability to Its Exploited Catalog
• Ivanti Releases Urgent Patch for Zero-Day Vulnerability in Sentry Gateway
• Critical Vulnerability in Ivanti Sentry API Exploited in the Wild
• Juniper Networks Patches Critical Flaws in Switches and Firewalls
• Zero-Day Windows Error Reporting Service Vulnerability Exploited: PoC Code Released