HQ/EMEAFind out how we can help your business
A recent cybercriminal campaign from the Cuba ransomware group has displayed new capabilities and attack scope. Researchers claimed that the most destructive operation that the group operates is against a United States critical infrastructure and an Information Technology integrator in Latin America.
This notorious ransomware group has been rampaging these past few months and attacked various industries worldwide. Cybersecurity analyses have also noticed that the ransomware group has connections with Russia. The researchers came to such a conclusion after the group employed numerous malicious tools that overlapped with other Russian-backed cybercriminal operations.
One of the techniques adopted by the threat actors is leveraging a credential reuse tactic. Researchers noted that this strategy’s initial sign of compromise was a successful admin login via Remote Desktop Protocol (RDP).
The Cuba ransomware group now contains a wide range of malicious arsenal for targeting victims.
The Cuba ransomware group’s toolkit includes various customer and pre-existing components. Some of these malicious tools are capable of different malicious abilities, such as BUGHATCH for personalised downloading, BURNTCIGAR as an anti-malware remover, and Metasploit and Cobalt Strike frameworks.
In addition, the toolkit includes multiple Living-off-the-Land Binaries (LOLBINS), which the ransomware operators use for malware distribution, running file operations, or stealing passwords.
Furthermore, the Cuba ransomware operators have also displayed skills in exploiting vulnerabilities. In some instances, the group used the Microsoft NetLogon protocol flaw, which provided them with privilege escalation against active directory domain controllers by generating a compromised connection through MS-NRPC to acquire admin access.
The group has also recently exploited the CVE-2023-27532 flaw in Veeam Backup & Replication software. The flaw could grant attackers access to stored credentials inside a configuration file on a targeted device.
The Cuba ransomware group remains an ongoing threat circulating in the cybercriminal landscape. The group’s continued adaptation and employment of various tools and vulnerabilities has made it one of the most prominent threats among cyber criminals. Therefore, Veeam software users should employ the new updates to mitigate the chances of compromise from these threat actors. Experts remind everyone always to install updates whenever possible since these will help patch bugs susceptible to exploitation.
