The Cuba ransomware group has escalated its targeting efforts, setting its sights on critical infrastructure organizations in the United States and IT firms in Latin America. Employing a combination of established and innovative techniques, the group’s activities were brought to light by BlackBerry’s Threat Research and Intelligence team in early June 2023.
One of their newly identified methods involves exploiting CVE-2023-27532 to extract credentials from configuration files, specifically impacting Veeam Backup & Replication (VBR) products. Notably, this vulnerability was already exploitable since March 2023, emphasizing the group’s adeptness at leveraging both old and new tools.
Rather than relying on brute force methods, Cuba’s initial access involves compromised administrative credentials via Remote Desktop Protocol (RDP), showcasing a level of sophistication in its attack strategy. The ransomware group’s custom downloader named ‘BugHatch’ plays a pivotal role by establishing communication with the command-and-control server and executing commands or downloading DLL files. To secure a foothold within the compromised environment, Cuba employs a Metasploit DNS stager, enabling them to run shellcode directly in memory.
Furthermore, the ransomware group employs techniques such as BYOVD (Bring Your Own Vulnerable Driver) to disable endpoint protection tools and the ‘BurntCigar’ tool to terminate kernel processes associated with security products. This indicates a highly calculated and comprehensive approach to disabling defense mechanisms. Cuba’s exploitation repertoire extends to CVE-2020-1472, also known as “Zerologon,” facilitating privilege escalation against Active Directory domain controllers for increased control within the compromised systems.
Cuba’s relentless activity is attributed to strong financial motivation, and while the group’s origin is presumed to be Russian, it notably avoids infecting systems using a Russian keyboard layout. This targeting strategy, coupled with linguistic hints and a Western-focused focus, further supports this assumption.
The Cuba ransomware group’s continued and evolving threats underscore the importance of staying current with security updates, particularly as they exploit publicly available proof-of-concept exploits like CVE-2023-27532, highlighting the risks of delay in applying necessary patches.
