Cuba Ransomware enhances its Attack Tactics
Share this:
Researchers have spotted the Cuba ransomware gang attacking the critical infrastructure organizations in the US and Latin America, utilizing a mix of both new and old tools.
The BlackBerry’s Threat Research and Intelligence team detected the latest campaign in early June 2023. The Cuba ransomware gang is now exploiting CVE-2023-27532 to steal credentials from configuration files. This specific vulnerability affects Veeam Backup & Replication (VBR) products, and an exploit has been available since March 2023. Prior to this, FIN7, a group with multiple known connections to various ransomware operations, was actively exploiting CVE-2023-27532.
As per the researchers, the Cuba’s initial point of entry appears to be compromised admin credentials through RDP and does not involve brute forcing. Subsequently, Cuba’s unique custom downloader, known as ‘BugHatch’, establishes communication with the C2 server and downloads DLL files or executes commands.
They gain initial access to the target environment through a Metasploit DNS stager that decrypts and runs shellcode directly in memory. The Cuba ransomware gang uses the increasingly common BYOVD (Bring Your Own Vulnerable Driver) technique to disable endpoint protection tools. They also employ the ‘BurntCigar’ tool to terminate kernel processes associated with security products.
In addition to the relatively recent Veeam flaw, the Cuba ransomware gang also exploits CVE-2020-1472 (known as ‘Zerologon’), a vulnerability in Microsoft’s NetLogon protocol, which provides them with privilege escalation against AD domain controllers. During the post-exploitation phase, Cuba has been seen using Cobalt Strike beacons and various ‘lolbins’.
BlackBerry emphasizes the clear financial motivation of the Cuba ransomware gang and suggests that the threat group is likely Russian, a theory that has been supported by other cyber-intelligence reports in the past. This assumption is based on the group’s exclusion of computers that use a Russian keyboard layout from infections, Russian 404 pages on parts of its infrastructure, linguistic clues, and the group’s targeting of Western entities.
The Cuba ransomware remains an active threat approximately four years after its emergence, which is uncommon for ransomware. The inclusion of CVE-2023-27532 in Cuba’s targeting scope underscores the importance of promptly installing Veeam security updates and highlights the risk of postponing updates when publicly available PoC (proof-of-concept) exploits are accessible.
MITRE ATT&CK
| Tactic | Technique |
| Initial Access | T1133, T1078.003 |
| Execution | T1106, T1204.002, T1059.001, T1059.003, T1569.002, T1218.011 |
| Defense Evasion | T1211, T1548.002, T1140, T1562.001, T1036.005 |
| Privilege Escalation | T1543.003, T1068 |
| Discovery | T1124, T1135, T1018, T1083, T1057, T1016.001 |
| Lateral Movement | T1570, T1333 |
| Credential Access | T1212 |
| Command-and-Control | T1219, T1090.003, T1071.004, T1071.001, T1105 |
Weaponization
| Weapons | EXEs, DLLs, LOLBins, PS, Metasploit, Cobalt Strike, Exploits |
| Attack Vector | Credential theft, RDP |
| Network Infrastructure | TOR, IPs, Ports – 5050,443 |
| Targets | U.S.-based critical infrastructure company; Latin America-based IT integrator |
Indicators of Compromise
- 58ba30052d249805caae0107a0e2a5a3cb85f3000ba5479fafb7767e2a5a78f3
- 3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0
- cf87a44c575d391df668123b05c207eef04b91e54300d1cbbec2f48f5209d4a4
- 765d84ae85561bf5dbc1187da2b2cef91da9f222bcc6cf2c12cacd36e44bcffd
- 1c2d7f19f8c12e055e1ba8cdf5334e6cb5510847783fbe36121a35ad70f09eb3
- 9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c
- 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1
- 075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85
- bd93d88cb70f1e33ff83de4d084bb2b247d0b2a9cec61ae45745f2da85ca82d2
