The Cuba ransomware group [2] [3] [4] [5] [6] [7] [8], a Russian-speaking gang active since 2019 [2], has recently updated its attack tooling to include a Veeam exploit [1]. This exploit [5] [6], known as CVE-2023-27532 [5] [8], allows them to potentially access credentials stored in the configuration file on victim devices [3]. BlackBerry discovered this during their investigations into Cuba’s attacks on a critical national infrastructure provider in the US and an IT integrator in South America [1].


In addition to the Veeam exploit, the Cuba ransomware gang has also been leveraging a flaw in Microsoft’s NetLogon protocol (CVE2020-1472) and using various custom and off-the-shelf tools. Their initial access in these attacks often involves administrator-level login via Remote Desktop Protocol [1]. The gang has been identified in attacks against critical infrastructure organizations in the United States and IT companies in Latin America [4]. They exploit CVE-2023-27532 to steal credentials from Veeam Backup & Replication (VBR) products [4]. The gang gains initial access through compromised admin credentials and uses a custom downloader called ‘BugHatch’ to establish communication with the C2 server [4]. They disable endpoint protection tools using the BYOVD technique and terminate kernel processes with the ‘BurntCigar’ tool [4]. They also exploit CVE-2020-1472 for privilege escalation [4]. This is the first time the Cuba group has exploited the Veeam vulnerability. They have compromised around 100 organizations and received millions of dollars in payments [1]. The Cuba ransomware gang is likely Russian [4], based on linguistic clues and their targeting of Western entities [4].


Promptly installing Veeam security updates is crucial to mitigate the risk posed by the Cuba ransomware gang. This incident highlights the importance of identifying critical services [5], addressing vulnerabilities [5], and regularly applying patches and mitigation measures [5]. The Cuba threat group is sophisticated [5], employing 29 different MITRE ATT&CK techniques [5]. Organizations should implement granular monitoring and look for unusual or unauthorized access to backups to protect themselves [5]. The recent exploitation of the Veeam flaw by the Cuba group underscores the need for proactive security measures and the continuous monitoring of vulnerabilities.