"Cuba Ransomware Group Steals Credentials Via Veeam Exploit"

According to security researchers at BlackBerry, a notorious Russian-speaking ransomware group has updated its attack tooling to include a Veeam exploit designed to harvest logins.  The researchers stated that their discovery came from investigations into attacks by the Cuba group on a US critical national infrastructure provider and a South American IT integrator.  Now in its fourth year of operation, the group appears to be using a slightly tweaked set of tactics, techniques, and procedures (TTPs), blending old and new tools and methods.  Among the new discoveries made by the researchers was Cuba’s exploitation of CVE-2023-27532, which impacts Veeam Backup & Replication software and is being used to steal credentials from configuration files on the victim’s device.  The researchers noted that the exploit works by accessing an exposed API on a component of the Veeam application (Veeam.Backup.Service.exe).  This vulnerability exists on any version of the Veeam Backup & Replication software prior to version 11a (build 11.0.1.1261 P20230227) and version 12 (build 12.0.0.1420 P20230223).  The researchers noted that elsewhere, Cuba exploited a legacy flaw in Microsoft NetLogon (CVE-2020-1472) and used custom and off-the-shelf tools such as custom downloader BugHatch, a Metasploit DNS stager, host enumeration tool Wedgecut, BurntCigar malware, and numerous evasive techniques including Bring Your Own Vulnerable Driver (BYOVD).  The researchers stated that initial access in these studied compromises came from an administrator-level login via Remote Desktop Protocol (RDP).  The researchers noted that it is likely that the Cuba group bought this from an initial access broker (IAB) or achieved it via vulnerability exploitation.

Infosecurity reports: "Cuba Ransomware Group Steals Credentials Via Veeam Exploit"