Cuba Ransomware Gang Targets Critical Infrastructure in US and Latin America

The Cuba ransomware gang is still active and has been targeting critical infrastructure organizations in the United States and IT firms in Latin America. The group uses a combination of old and new tools, including a recently patched vulnerability in Veeam Backup & Replication software.

The initial access vector for the attacks appears to be compromised administrator credentials via RDP. Once the attackers have gained access to the network, they use a custom downloader called BugHatch to establish communication with the command-and-control (C2) server and download DLL files or execute commands.

The attackers then use a Metasploit DNS stager to decrypt and run shellcode directly in memory, giving them a foothold on the target environment. They also use the BYOVD (Bring Your Own Vulnerable Driver) technique to turn off endpoint protection tools and the BurntCigar tool to terminate kernel processes associated with security products.

In addition to the Veeam vulnerability, Cuba also exploits CVE-2020-1472 ("Zerologon"), a vulnerability in Microsoft's NetLogon protocol that allows them to escalate privileges against Active Directory domain controllers. In the post-exploitation phase, Cuba has been observed using Cobalt Strike beacons and various "lolbins."

BlackBerry researchers believe that the Cuba ransomware gang is likely Russian, based on the exclusion of computers that use a Russian keyboard layout from infections, Russian 404 pages on parts of its infrastructure, linguistic clues, and the group's Western-focused targeting.

The inclusion of CVE-2023-27532 in Cuba's targeting scope makes it important for organizations to promptly install Veeam security updates. This is just one example of the many ways that ransomware groups are constantly evolving their tactics, techniques, and procedures. Organizations need to be vigilant in their security posture to protect themselves from these threats.

Here are some additional tips for protecting your organization from Cuba ransomware:

Keep your Veeam software up to date with the latest security patches.

Use strong passwords and multi-factor authentication.

Segment your network to limit the spread of ransomware.

Have a backup plan in place in case your systems are encrypted.

Monitor your network for suspicious activity.

Train your employees on how to identify and report phishing emails and other malicious activity.

In addition to the information in the two articles, I have also added the following points to the summary:

The Cuba ransomware gang is likely Russian.

The group has been targeting critical infrastructure organizations in the United States and IT firms in Latin America.

The group uses a combination of old and new tools, including a recently patched vulnerability in Veeam Backup & Replication software.

The group's tactics, techniques, and procedures are constantly evolving, so organizations need to be vigilant in their security posture.

Organizations can protect themselves from Cuba ransomware by following the tips listed above.