The Cuba ransomware group has been detected engaging in attacks against critical infrastructure organizations located in the United States, as well as IT firms across Latin America. They employ a combination of both old and new tools to carry out their operations.

In early June 2023, BlackBerry’s Threat Research and Intelligence team identified the latest campaign by Cuba. They found that the group now exploits CVE-2023-27532 to steal credentials from configuration files. This vulnerability specifically affects Veeam Backup & Replication (VBR) products and has had an exploit available since March 2023.

Previously, FIN7, a group known for its associations with various ransomware operations, was reported by WithSecure to be actively exploiting CVE-2023-27532.

According to BlackBerry’s findings, Cuba gains its initial access through compromised admin credentials via RDP, without the need for brute forcing.

Once inside the target environment, Cuba’s custom downloader, known as ‘BugHatch,’ establishes communication with the C2 (Command and Control) server to download DLL files or execute commands.

To establish a foothold, Cuba employs a Metasploit DNS stager that decrypts and runs shellcode directly in memory.

Cuba also utilizes the BYOVD (Bring Your Own Vulnerable Driver) technique, which has become widespread, to disable endpoint protection tools. Additionally, they employ the “BurntCigar” tool to terminate kernel processes associated with security products.

In addition to the relatively recent Veeam flaw, Cuba also exploits CVE-2020-1472, also known as “Zerologon,” a vulnerability in Microsoft’s NetLogon protocol that allows them to escalate privileges against AD domain controllers.

Zerologon exploit helper.

BlackBerry highlights the clear financial motivation of the Cuba ransomware group and suggests that the threat group is likely of Russian origin – a hypothesis that has been put forward by other cyber-intelligence reports in the past. This assumption is based on the exclusion of computers using a Russian keyboard layout from infections, the presence of Russian 404 pages on parts of its infrastructure, linguistic clues, and the group’s focus on Western targets.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trending

Design a site like this with WordPress.com
Get started