Cuba ransomware uses Veeam exploit against critical U.S. organizations

The Cuba ransomware gang was found targeting critical infrastructure organizations in the United States and IT firms in Latin America, using a combination of old and new tools.

The latest campaign was spotted in early June 2023 by BlackBerry’s Threat Research and Intelligence team, who reports that Cuba now leverages an exploit for the Veeam vulnerability CVE-2023-27532 to steal credentials from configuration files.

The particular flaw impacts Veeam Backup & Replication (VBR) products, and an exploit for it has been available since March 2023.

BlackBerry reports that Cuba’s initial access vector appears to be compromised admin credentials via RDP, not involving brute forcing.

Next, Cuba’s signature custom downloader ‘BugHatch’ establishes communication with the C2 server and downloads DLL files or executes commands.

An initial foothold on the target environment is achieved through a Metasploit DNS stager that decrypts and runs shellcode directly in memory.

Cuba utilizes the now-widespread BYOVD (Bring Your Own Vulnerable Driver) technique to turn off endpoint protection tools. Also, it uses the ‘BurntCigar’ tool to terminate kernel processes associated with security products.

Besides the Veeam flaw, Cuba also exploits CVE-2020-1472 (“Zerologon”), a vulnerability in Microsoft’s NetLogon protocol, which gives them privilege escalation against AD domain controllers

According to BlackBerry, the threat group is likely Russian which has been hypothesized by other cyber-intelligence reports in the past.

This assumption is based on the exclusion of computers that use a Russian keyboard layout from infections, Russian 404 pages on parts of its infrastructure, linguistic clues, and the group’s Western-focused targeting.

Cuba ransomware remains an active threat approximately four years into its existence, which is not common in ransomware.

Image Credits : Latam

The post Cuba ransomware uses Veeam exploit against critical U.S. organizations first appeared on Cybersafe News.

CyberNews RansomWare