October 3, 2023

Researchers have spotted the Cuba ransomware gang attacking the critical infrastructure organizations in the US and Latin America, utilizing a mix of both new and old tools.

The BlackBerry’s Threat Research and Intelligence team detected the latest campaign in early June 2023. The Cuba ransomware gang is now exploiting CVE-2023-27532 to steal credentials from configuration files. This specific vulnerability affects Veeam Backup & Replication (VBR) products, and an exploit has been available since March 2023. Prior to this, FIN7, a group with multiple known connections to various ransomware operations, was actively exploiting CVE-2023-27532.

As per the researchers, the Cuba’s initial point of entry appears to be compromised admin credentials through RDP and does not involve brute forcing. Subsequently, Cuba’s unique custom downloader, known as ‘BugHatch’, establishes communication with the C2 server and downloads DLL files or executes commands.


They gain initial access to the target environment through a Metasploit DNS stager that decrypts and runs shellcode directly in memory. The Cuba ransomware gang uses the increasingly common BYOVD (Bring Your Own Vulnerable Driver) technique to disable endpoint protection tools. They also employ the ‘BurntCigar’ tool to terminate kernel processes associated with security products.

In addition to the relatively recent Veeam flaw, the Cuba ransomware gang also exploits CVE-2020-1472 (known as ‘Zerologon’), a vulnerability in Microsoft’s NetLogon protocol, which provides them with privilege escalation against AD domain controllers. During the post-exploitation phase, Cuba has been seen using Cobalt Strike beacons and various ‘lolbins’.

BlackBerry emphasizes the clear financial motivation of the Cuba ransomware gang and suggests that the threat group is likely Russian, a theory that has been supported by other cyber-intelligence reports in the past. This assumption is based on the group’s exclusion of computers that use a Russian keyboard layout from infections, Russian 404 pages on parts of its infrastructure, linguistic clues, and the group’s targeting of Western entities.


The Cuba ransomware remains an active threat approximately four years after its emergence, which is uncommon for ransomware. The inclusion of CVE-2023-27532 in Cuba’s targeting scope underscores the importance of promptly installing Veeam security updates and highlights the risk of postponing updates when publicly available PoC (proof-of-concept) exploits are accessible.


Initial AccessT1133, T1078.003
ExecutionT1106, T1204.002, T1059.001, T1059.003, T1569.002, T1218.011
Defense EvasionT1211, T1548.002, T1140, T1562.001, T1036.005
Privilege EscalationT1543.003, T1068
DiscoveryT1124, T1135, T1018, T1083, T1057, T1016.001
Lateral MovementT1570, T1333
Credential AccessT1212
Command-and-ControlT1219, T1090.003, T1071.004, T1071.001, T1105


WeaponsEXEs, DLLs, LOLBins, PS, Metasploit, Cobalt Strike, Exploits
Attack VectorCredential theft, RDP
Network InfrastructureTOR, IPs, Ports – 5050,443
TargetsU.S.-based critical infrastructure company; Latin America-based IT integrator

  Indicators of Compromise

  • 58ba30052d249805caae0107a0e2a5a3cb85f3000ba5479fafb7767e2a5a78f3
  • 3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0
  • cf87a44c575d391df668123b05c207eef04b91e54300d1cbbec2f48f5209d4a4
  • 765d84ae85561bf5dbc1187da2b2cef91da9f222bcc6cf2c12cacd36e44bcffd
  • 1c2d7f19f8c12e055e1ba8cdf5334e6cb5510847783fbe36121a35ad70f09eb3
  • 9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c
  • 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1
  • 075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85
  • bd93d88cb70f1e33ff83de4d084bb2b247d0b2a9cec61ae45745f2da85ca82d2

Leave a Reply

%d bloggers like this: