Cuba Ransomware Group Exploiting Veeam Flaw in Latest Campaign – Source: securityboulevard.com

The high-profile Cuba ransomware group is abusing a security flaw in software from Veeam on recent attacks on a critical infrastructure provider in the United States and an IT integrator in Latin America.

The Russian-speaking gang is exploiting the vulnerability in Veeam’s Backup and Replication software to steal credentials and gain initial access into targeted systems, according to researchers with BlackBerry’s Research and Intelligence unit.

The operators behind the notorious Cuba ransomware, which has been active since 2019 and ramped up its profile in 2021 through a string of attacks, essentially have used the same tactics and techniques over the past four years, with slight changes here and there, the researchers wrote in a report.

That has included various commodity and custom malware, legitimate penetration-testing frameworks like Cobalt Strike and Metasploit, and living-off-the-land binaries (LOLBins) that exploit executables in the operating system. The group last year also may have developed a relationship with the operators of the Industrial Spy launched by threat actors in 2022 to sell stolen data and to operate as a leak site.

There are similarities in the ransomware run by both the Cuba and Industrial Spy groups, they wrote. Cybersecurity experts also believe there is a relationship between the Cuba group and RomCom remote access trojan (RAT) operators.

Adding to the List of Tools

The Cuba ransomware group in the past also has abused known vulnerabilities to attack Microsoft Exchange servers and Rackspace’s networks. In the most recent campaign in June, the bad actors leveraged a flaw in Microsoft’s NetLogon protocol (tracked as CVE2020-1472) and Veeam’s software (CVE-2023-27532). This is the first time Cuba has exploited the Veeam vulnerability, the researchers wrote.

This doesn’t surprise Phil Neray, vice president of cyber-defense strategy at security firm CardinalOps.

“This Russia-affiliated threat group is clearly sophisticated, employing 29 different MITRE ATT&CK techniques as they navigate the kill chain from initial access to defense evasion and lateral movement,” Neray said. “We are increasingly seeing encrypted backups as high-value targets, whether it’s a Veeam backup service or other backup services such as AWS S3 buckets.”

The Russian cybercriminal advanced persistent threat (APT) gang FIN7 in March exploited the same vulnerability. The Cuba group – which runs a double-extortion operator that includes stealing data as well as encrypting it with threats of leaking the information if a ransom isn’t paid – used it to gain entry into systems by reusing stolen credentials.

“The first evidence of a compromise in the targeted organization was a successful Administrator-level login via Remote Desktop Protocol (RDP),” they wrote. “This login was achieved without evidence of prior invalid login attempts, nor evidence of techniques such as brute-forcing or exploitation of vulnerabilities. This means that the attacker likely obtained the valid credentials via some other nefarious means preceding the attack.”

That has included buying access through initial access brokers (IABs) as well as through exploiting flaws.

After gaining initial access through RDP, the group deployed its BugHatch custom downloader, which connects to a command-and-control (C2) server, and then the Metasploit DNS stager to gain a foothold in the environment and decrypt the shellcode and run it in memory.

The operators used other known tools and tactics, including the WEdgecut host enumerator, evasive techniques that included bring-your-own-vulnerability driver (BYOVD) – implanting a legitimate vulnerable driver and then exploiting that vulnerability – and BurntCigar malware to kill processes at the kernel level.

This version included several deviations from others used by the Cuba group in the past, including the use of a list of processes to terminate.

“The final total kill list was seen to contain over 200+ targeted processes in total – many of which are anti-malware endpoint solutions and tools,” the researchers wrote.

Changes are the Norm for Cuba

The changes in tactics and techniques are part of the Cuba group’s practices that include using available components to upgrade the toolset, such as new software vulnerabilities. The researchers also noted the under-the-hood modifications made to the BurntCigar codebase that included a hashing functionality.

“Any updates are likely designed to optimize its execution during campaigns, and we expect to see persistent activity from this group in the near future,” they wrote.

The Cuba operators aren’t showing signs of slowing down. The BlackBerry researchers noted several campaigns this year that included attacks on Exchange servers in January and the Philadelphia Inquirer in May.

Also in January, the Cybersecurity and Infrastructure Agency (CISA) issued an advisory about the Cuba group, the latest of several CISA and other agencies, including the FBI, have released over the past few years.

In the latest advisory, CISA officials noted that the financially motivated ransomware gang in the past has targeted the financial services, government entities, health care and public health, manufacturing, and IT industries, all of which fall under the government’s “critical infrastructure” sector.

In addition, as of August 2022, the Cuba threat actors have compromised 101 organizations around the world – including 65 in the United States – and demanded $145 million in ransom, receiving $60 million in payments.