Amidst the dynamic and constantly changing realm of cyber threats, the specter of ransomware continues to loom large. Amongst the various ransomware groups, the spotlight has recently turned towards the Cuba ransomware gang, as they assert themselves as a notable adversary.

A Shifting Arsenal: The Cuba Ransomware Gang's Veeam Exploit

Recent findings by BlackBerry reveal that the Cuba ransomware gang has adapted its attack methods, now incorporating a Veeam exploit to harvest logins. Investigations into attacks targeting critical infrastructure in the US and IT firms in Latin America uncovered these new tactics. The group's blend of old and new techniques, including the exploitation of CVE-2023-27532 in Veeam Backup & Replication software, showcases their evolving threat landscape.

Veeam is a software company that specializes in providing data protection, backup, and disaster recovery solutions for businesses and organizations. The company's primary focus is on virtualized and cloud-based environments.

Unveiling the Vulnerabilities: Exploiting Veeam and Zerologon

The Cuba gang's evolving toolkit features exploits like CVE-2023-27532, affecting Veeam Backup & Replication products. This recent flaw adds to their weaponry, joining their use of the Zerologon vulnerability (CVE-2020-1472) in Microsoft's NetLogon protocol. These entry points provide a glimpse into their modus operandi, emphasizing the importance of patch management and vulnerability mitigation.

Infiltration Strategies: Admin Credentials and Custom Tools

BlackBerry's insights into the gang's approach reveal a focus on compromised admin credentials obtained through Remote Desktop Protocol (RDP). Unlike brute forcing, this method grants them direct access. The group employs their custom downloader, 'BugHatch', to establish connections and fetch payloads, while Metasploit DNS stagers and BYOVD techniques are leveraged for initial access.

The Power of Persistence: BurntCigar and Cobalt Strike

Persistence is key for ransomware groups, and Cuba demonstrates this through tools like 'BurntCigar', which terminates security processes to establish a foothold. Cobalt Strike beacons and 'lolbins' are employed post-exploitation, revealing their advanced tactics for data exfiltration and control.

Unmasking the Threat Actors: The Russia Connection

The Cuba gang's identity and motivations come into focus as BlackBerry speculates on their origins. Linguistic clues, targeting patterns, and the use of Russian keyboard layout exclusions point towards a likely Russian-speaking threat group. This highlights the global nature of cyber threats and underscores the importance of international collaboration in countering ransomware.

The Ongoing Battle: Safeguarding Against Cuba Ransomware

As the Cuba ransomware gang persists in its operations, organizations must take proactive measures to safeguard their digital assets. The inclusion of CVE-2023-27532 underscores the urgency of installing security updates promptly. With ransomware threats evolving continuously, a comprehensive defense strategy encompassing patch management, network segmentation, and email gateway solutions is paramount.

Conclusion

The Cuba ransomware gang's evolving tactics reveal the dynamic nature of cyber threats. As they blend old and new tools, exploiting vulnerabilities and custom tools alike, organizations must remain vigilant and prioritize cybersecurity measures. With the insights gained from recent investigations, the battle against ransomware continues, underscoring the need for collaborative efforts and proactive defense strategies.