Cybersecurity Snapshots #45 - Cuba Ransomware

Cybersecurity Snapshots #45 -

Cuba Ransomware

The Cuba ransomware group was first discovered in 2019. According to CISA, as of August 2022, the group compromised 101 entities, 65 in the US and 36 elsewhere, demanding a total of $145 million in ransom payments and receiving around $60 million. According to security researchers at BlackBerry, the group uses Cuban Revolution references and iconography in its code, and its leak site, but ample evidence suggests its members are, in fact, of Russian origin. Cuba is a financially motivated threat actor known for big money ransomware attacks primarily targeting US organizations. According to the FBI, the group uses the following techniques to gain initial access: known vulnerabilities in commercial software, phishing campaigns, compromised credentials, and legitimate Remote Desktop Protocol (RDP) tools.

According to security researchers at BlackBerry, Cuba has updated its attack tooling to include a Veeam exploit designed to harvest logins. The researchers stated that their discovery came from investigations into attacks by the Cuba group on a US critical national infrastructure provider and a South American IT integrator. Now in its fourth year of operation, the group appears to be using a slightly tweaked set of Tactics, Techniques, and Procedures (TTPs), blending old and new tools and methods. Among the new discoveries made by the researchers was Cuba's exploitation of CVE-2023-27532, which impacts Veeam Backup & Replication software and is being used to steal credentials from configuration files on the victim's device. The researchers noted that the exploit works by accessing an exposed API on a component of the Veeam application (Veeam.Backup.Service.exe). This vulnerability exists on any version of the Veeam Backup & Replication software prior to version 11a (build 11.0.1.1261 P20230227) and version 12 (build 12.0.0.1420 P20230223). The researchers noted that elsewhere, Cuba exploited a legacy flaw in Microsoft NetLogon (CVE-2020-1472) and used custom and off-the-shelf tools such as custom downloader BugHatch, a Metasploit DNS stager, host enumeration tool Wedgecut, BurntCigar malware, and numerous evasive techniques including Bring Your Own Vulnerable Driver (BYOVD). The researchers stated that initial access in these studied compromises came from an administrator-level login via RDP. The researchers noted that it is likely that the Cuba group bought this from an Initial Access Broker (IAB) or achieved it via vulnerability exploitation.

The researchers at BlackBerry stated that Cuba is deployed selectively using a big game hunting strategy, targeting a few high-profile organizations in financial services, government, healthcare, critical infrastructure, and IT sectors. The researchers noted that Cuba operators reliably deliver a decryption package to decrypt victims' files when a ransom is paid but that they also employ a double-extortion tactic and are known to publish the stolen data and documents of victims that refuse to pay.

To defend against the Cuba Ransomware, the security researchers at BlackBerry recommend that organizations emphasize detection technologies, prompt and perhaps automated patching, and investing in advanced threat intelligence. If all else fails, the researchers noted that quick and decisive action must be taken because "if there is a delay because of the weekend or a lack of resources, then it may lead to huge losses."