The Cuba ransomware group       , a Russian-speaking gang active since 2019 , has recently updated its attack tooling to include a Veeam exploit . This exploit  , known as CVE-2023-27532  , allows them to potentially access credentials stored in the configuration file on victim devices . BlackBerry discovered this during their investigations into Cuba’s attacks on a critical national infrastructure provider in the US and an IT integrator in South America .
In addition to the Veeam exploit, the Cuba ransomware gang has also been leveraging a flaw in Microsoft’s NetLogon protocol (CVE2020-1472) and using various custom and off-the-shelf tools. Their initial access in these attacks often involves administrator-level login via Remote Desktop Protocol . The gang has been identified in attacks against critical infrastructure organizations in the United States and IT companies in Latin America . They exploit CVE-2023-27532 to steal credentials from Veeam Backup & Replication (VBR) products . The gang gains initial access through compromised admin credentials and uses a custom downloader called ‘BugHatch’ to establish communication with the C2 server . They disable endpoint protection tools using the BYOVD technique and terminate kernel processes with the ‘BurntCigar’ tool . They also exploit CVE-2020-1472 for privilege escalation . This is the first time the Cuba group has exploited the Veeam vulnerability. They have compromised around 100 organizations and received millions of dollars in payments . The Cuba ransomware gang is likely Russian , based on linguistic clues and their targeting of Western entities .
Promptly installing Veeam security updates is crucial to mitigate the risk posed by the Cuba ransomware gang. This incident highlights the importance of identifying critical services , addressing vulnerabilities , and regularly applying patches and mitigation measures . The Cuba threat group is sophisticated , employing 29 different MITRE ATT&CK techniques . Organizations should implement granular monitoring and look for unusual or unauthorized access to backups to protect themselves . The recent exploitation of the Veeam flaw by the Cuba group underscores the need for proactive security measures and the continuous monitoring of vulnerabilities.