Cuba ransomware gang looking for unpatched Veeam installations: Report

The Cuba ransomware gang has tweaked its attack strategy to go after IT environments that haven’t patched a recently discovered vulnerability in Veeam Software’s backup solutions.

Usually the gang exploits the three-year old Windows Server Netlogon vulnerability (CVE-2020-1472) known as Zerologon, BlackBerry said in a report Thursday. However, an analysis of a series of attacks in June, including a critical infrastructure organization in the United States and an IT integrator in Latin America, shows the gang is now also targeting the Veeam CVE-2023-27532 vulnerability.

Other researchers call the strain of ransomware used by this group Colddraw or Fidel. It first appeared in 2019 and, according to BlackBerry, has built up a relatively small but carefully selected list of victims in the years since. As of August 2022, the group had compromised 101 organizations, 65 of them in the United States.

Based on the strings analysis of the code used in the most recent campaign, BlackBerry found indications that the developer behind Cuba ransomware is Russian-speaking. That theory is further strengthened, the report says, by the fact the ransomware automatically terminates its own execution on hosts that are set to the Russian language, or on those that have the Russian keyboard layout present.

IT defenders should also note that, in this particular campaign, the Cuba gang somehow got hold of an organization’s administrator credentials. The attackers logged in directly through Windows Remote Desktop Protocol (RDP). There was no evidence of previous invalid login attempts, or evidence of techniques such as brute-forcing or exploitation of vulnerabilities. This means, BlackBerry concluded, that the attacker likely obtained the valid credentials via some other method.

Cuba’s toolkit consists of various custom and off-the-shelf parts. These include what BlackBerry calls BugHatch, a lightweight custom downloader likely developed by the Cuba ransomware members, as it has only been seen operated by them in the wild. It establishes a connection to a command-and-control server and downloads a payload of the attacker’s choosing, typically small PE files or PowerShell scripts. BugHatch can also execute files or commands.

In previous campaigns, BugHatch was typically retrieved and deployed via a PowerShell dropper or loaded into memory by a PowerShell-based script. In the most recent campaign, four separate DLLs using the Microsoft Foundation Class (MFC) Library were used to fetch and load the “agent32/64.bin” BugHatch payloads.

Another tool, dubbed Wedgecut, is a host enumeration tool that accepts an argument consisting of a list of IP addresses or hosts, then uses internet control message protocol (ICMP) packets to check whether they are online.

Another tool, dubbed BurntCigar, terminates over 200 processes, many of which are anti-malware endpoint solutions and tools.

And the gang also uses the Cobalt Strike beacon — or a clone of it — to send back data to the command and control server.

For defence against this and other ransomware gangs, infosec pros should ensure they have an up-to-date patch management program, an email gateway solution to help prevent the phishing emails which are often and initial infection vector, and they should segment networks, BlackBerry says.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs

 

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.