The Cuba ransomware group [2] [3] [4] [5] [6] [7] [8], a Russian-speaking gang active since 2019 [2], has recently updated its attack tooling to include a Veeam exploit [1]. This exploit [5] [6], known as CVE-2023-27532 [5] [8], allows them to potentially access credentials stored in the configuration file on victim devices [3]. BlackBerry discovered this during their investigations into Cuba’s attacks on a critical national infrastructure provider in the US and an IT integrator in South America [1].
Description
In addition to the Veeam exploit, the Cuba ransomware gang has also been leveraging a flaw in Microsoft’s NetLogon protocol (CVE2020-1472) and using various custom and off-the-shelf tools. Their initial access in these attacks often involves administrator-level login via Remote Desktop Protocol [1]. The gang has been identified in attacks against critical infrastructure organizations in the United States and IT companies in Latin America [4]. They exploit CVE-2023-27532 to steal credentials from Veeam Backup & Replication (VBR) products [4]. The gang gains initial access through compromised admin credentials and uses a custom downloader called ‘BugHatch’ to establish communication with the C2 server [4]. They disable endpoint protection tools using the BYOVD technique and terminate kernel processes with the ‘BurntCigar’ tool [4]. They also exploit CVE-2020-1472 for privilege escalation [4]. This is the first time the Cuba group has exploited the Veeam vulnerability. They have compromised around 100 organizations and received millions of dollars in payments [1]. The Cuba ransomware gang is likely Russian [4], based on linguistic clues and their targeting of Western entities [4].
Conclusion
Promptly installing Veeam security updates is crucial to mitigate the risk posed by the Cuba ransomware gang. This incident highlights the importance of identifying critical services [5], addressing vulnerabilities [5], and regularly applying patches and mitigation measures [5]. The Cuba threat group is sophisticated [5], employing 29 different MITRE ATT&CK techniques [5]. Organizations should implement granular monitoring and look for unusual or unauthorized access to backups to protect themselves [5]. The recent exploitation of the Veeam flaw by the Cuba group underscores the need for proactive security measures and the continuous monitoring of vulnerabilities.
References
[1] https://www.infosecurity-magazine.com/news/cuba-credentials-veeam-exploit/
[2] https://securityboulevard.com/2023/08/cuba-ransomware-group-exploiting-veeam-flaw-in-latest-campaign/
[3] https://www.cybersecuritydive.com/news/veeam-exploit-critical-infrastructure/691390/
[4] https://vulnera.com/newswire/cuba-ransomware-gang-exploits-veeam-vulnerability-in-attacks-on-u-s-critical-infrastructure/
[5] https://www.scmagazine.com/news/cuba-ransomware-group-observed-exploiting-a-high-severity-veeam-bug
[6] https://heimdalsecurity.com/blog/cuba-ransomware-exploits-veeam-flaw-targets-u-s-and-latin-american-entities/
[7] https://www.hivepro.com/cuba-ransomware-targets-u-s-with-veeam-exploit/
[8] https://cyber.vumetric.com/security-news/2023/08/20/cuba-ransomware-uses-veeam-exploit-against-critical-u-s-organizations/
