The Cuba ransomware group, which made headlines last year after the U.S. government warned that the group had compromised dozens of victims worldwide, has switched up some of its tactics in an effort to evade detection.
Researchers with BlackBerry’s research and intelligence team said this week that in June they observed the new tactics as part of a campaign that targeted organizations like a critical infrastructure entity in the U.S. and an IT integrator in Latin America.
“The Cuba threat group, believed to be of Russian origin, deployed a set of malicious tools that overlapped with previous campaigns associated with this attacker, as well as introducing new ones — including the first observed use of an exploit for the Veeam vulnerability,” according to researchers in the Wednesday analysis.
For one, Cuba has made modifications to a known malware called BurntCigar that terminates endpoint security processes in order to enable the deployment of ransomware. The malware has previously been used by Cuba to exploit undocumented I/O control nodes at the kernel level in vulnerable drivers (such as aswArPot.sys, ApcHelper.sys and KApcHelper_x64.sys); and in this campaign the ransomware group has expanded the scope of vulnerable drivers used in conjunction with this utility to include the Process Explorer driver (procexp152.sys). This driver has previously been abused by other threat actors, like LockBit, said researchers.
“Another difference was an under-the-hood update to the malware itself,” said researchers. “In previous versions, it contained a cleartext hardcoded list of targeted processes to kill; however, in a variant seen in this campaign, the list was hashed with the CRC-64/ECMA-182 algorithm. Once decoded, it includes a list of processes overlapping with previous Cuba campaigns.”
The group is also now targeting a vulnerability (CVE-2023-27532) in the Backup & Replication component of data backup and recovery company Veeam. The known flaw could allow an attacker to gain access to credentials stored in the configuration files on victim devices. The flaw was first discovered and patches issued in March; however, since then a number of cybercriminals have exploited unpatched instances of the flaw, including FIN7.
“Throughout the last four years, Cuba has used a similar set of core TTPs with a slight shift from year to year."
Previous Cuba attacks have exploited vulnerabilities for initial access or leveraged initial access brokers. Researchers believe that for the more recent attacks the group has been leveraging reused or stolen credentials for an administrator RDP account.
“This login was achieved without evidence of prior invalid login attempts, nor evidence of techniques such as brute-forcing or exploitation of vulnerabilities,” said researchers. “This means that the attacker likely obtained the valid credentials via some other nefarious means preceding the attack.”
In addition to these newer changes, the group also leveraged exploits and custom malware observed in previous attacks. These included a host enumeration tool called Wedgecut, a custom downloader called BugHatch, and the popular pentesting Metasploit framework. The group also exploited the known ZeroLogon flaw (CVE-2020-1472) in Microsoft’s NetLogon protocol, which it has previously leveraged.
“Also worthy of note is that Cuba’s own leak site has gone on and offline intermittently during the last couple months,” said researchers. “Based on our observations, the site comes back online whenever a new victim is allegedly compromised and listed, before going dark again.”
Cuba seemingly has no plans of slowing down. In December 2022, several U.S. government agencies released a joint cybersecurity advisory warning that as of August 2022, the group had compromised 101 entities, including 65 in the U.S., and had demanded $145 million in ransom payments. Over the past years, the group has also adopted new tactics and exploits, including the ProxyShell and ProxyLogon flaws in early 2022.
“Throughout the last four years, Cuba has used a similar set of core TTPs with a slight shift from year to year,” said researchers. “These typically consist of LOLBins (executables that are a part of the operating system and can be exploited to support an attack), exploits, commodity and custom malware, and popular legitimate pen-testing frameworks such as Cobalt Strike and Metasploit.”