Cuba Ransomware Group’s Sophisticated Cyberattack Techniques Unveiled
August 22, 2023
The Cuba ransomware group, a Russian threat actor, launched an unsuccessful cyberattack on an organization servicing US critical infrastructure in June. The group, known for its high-profile ransomware attacks, used a combination of multiple CVEs, commercial tools, unique malware, and evasion techniques. In this particular campaign, discovered by Blackberry, it targeted a US critical infrastructure provider and a systems integrator in Latin America. The group exploited two vulnerabilities, CVE-2020-1472 'Zerologon' and CVE-2023-27532, and deployed two of its signature malwares, BUGHATCH and BURNTCIGAR, along with commercial software programs Metasploit and Cobalt.
The attack was first detected in May when an administrator-level login was performed using Remote Desktop Protocol (RDP). There were no signs of previous failed login attempts or brute-forcing. The method used by the attacker to obtain valid credentials remains unknown, but Blackberry researchers have previously observed Cuba using initial access brokers for this purpose. After gaining access, Cuba deployed BUGHATCH, a custom downloader that establishes a connection to a command-and-control (C2) server and downloads attacker payloads. In this instance, one of the payloads downloaded was Metasploit, which was used to solidify the group's foothold in the target environment.
To escalate privileges and gain administrator access, the group exploited Zerologon, a three-year-old vulnerability in Windows' Netlogon Remote Protocol. In addition, they exploited a high-severity bug in the Veeam backup software to extract credentials from its config file. BURNTCIGAR, Cuba's second proprietary malware, was used to execute Bring Your Own Vulnerable Driver (BYOVD) attacks. This malware terminates kernel-level processes en masse by exploiting the I/O control codes used for communication with drivers.
The group also took measures to avoid detection, moving slowly and deliberately over a period of two months within the network. Since its discovery in 2019, Cuba has been one of the most profitable ransomware outfits in the world. According to data from CISA, as of August 2022, the group had compromised 101 entities, 65 in the US and 36 in other countries, demanding a total of $145 million in ransom payments and receiving around $60 million. Despite using Cuban Revolution references and iconography in its code and leak site, evidence suggests the group is of Russian origin.
To defend against the Cuba ransomware group, organizations are advised to focus on detection technologies, timely and possibly automated patching, and investment in advanced threat intelligence. If these measures fail, immediate and decisive action is necessary to prevent significant losses.
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.
By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.
Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.