The Cuba ransomware gang has tweaked its attack strategy to go after IT environments that haven’t patched a recently discovered vulnerability in Veeam Software’s backup solutions.
Usually the gang exploits the three-year old Windows Server Netlogon vulnerability (CVE-2020-1472) known as Zerologon, BlackBerry said in a report Thursday. However, an analysis of a series of attacks in June, including a critical infrastructure organization in the United States and an IT integrator in Latin America, shows the gang is now also targeting the Veeam CVE-2023-27532 vulnerability.
Other researchers call the strain of ransomware used by this group Colddraw or Fidel. It first appeared in 2019 and, according to BlackBerry, has built up a relatively small but carefully selected list of victims in the years since. As of August 2022, the group had compromised 101 organizations, 65 of them in the United States.
Based on the strings analysis of the code used in the most recent campaign, BlackBerry found indications that the developer behind Cuba ransomware is Russian-speaking. That theory is further strengthened, the report says, by the fact the ransomware automatically terminates its own execution on hosts that are set to the Russian language, or on those that have the Russian keyboard layout present.
IT defenders should also note that, in this particular campaign, the Cuba gang somehow got hold of an organization’s administrator credentials. The attackers logged in directly through Windows Remote Desktop Protocol (RDP). There was no evidence of previous invalid login attempts, or evidence of techniques such as brute-forcing or exploitation of vulnerabilities. This means, BlackBerry concluded, that the attacker likely obtained the valid credentials via some other method.
Cuba’s toolkit consists of various custom and off-the-shelf parts. These include what BlackBerry calls BugHatch, a lightweight custom downloader likely developed by the Cuba ransomware members, as it has only been seen operated by them in the wild. It establishes a connection to a command-and-control server and downloads a payload of the attacker’s choosing, typically small PE files or PowerShell scripts. BugHatch can also execute files or commands.
In previous campaigns, BugHatch was typically retrieved and deployed via a PowerShell dropper or loaded into memory by a PowerShell-based script. In the most recent campaign, four separate DLLs using the Microsoft Foundation Class (MFC) Library were used to fetch and load the “agent32/64.bin” BugHatch payloads.
Another tool, dubbed Wedgecut, is a host enumeration tool that accepts an argument consisting of a list of IP addresses or hosts, then uses internet control message protocol (ICMP) packets to check whether they are online.
Another tool, dubbed BurntCigar, terminates over 200 processes, many of which are anti-malware endpoint solutions and tools.
And the gang also uses the Cobalt Strike beacon — or a clone of it — to send back data to the command and control server.
For defence against this and other ransomware gangs, infosec pros should ensure they have an up-to-date patch management program, an email gateway solution to help prevent the phishing emails which are often and initial infection vector, and they should segment networks, BlackBerry says.