Exploring the Latest Tools & Tactics of Cuba Ransomware

Category: Ransomware News | Industries: Critical Infrastructure, Technology |

Source: BlackBerry

Throughout 2023, the Cuba ransomware group has exhibited consistent activity, directing their efforts primarily towards Western targets. In a report from BlackBerry's Threat Research and Intelligence team, the gang's latest endeavors have involved targeting a critical infrastructure organization within the United States, as well as an IT service company located in Latin America. The tactics, techniques, and procedures (TTPs) demonstrated in the attack aligned with TTPs previously attributed to Cuba. However, some new tricks seem to have been adopted, such as exploiting vulnerable Veeam servers through CVE-2023-27532. This vulnerability exposes access to encrypted credentials stored in the Veeam Backup & Replication component's configuration database. Among overlapped toolsets used, Cuba has incorporated the enumeration tool, netpingall.exe, into their arsenal as well. This particular tool was also observed in action during Hancitor campaigns in 2021. New additions to the toolkit include a customer downloader identified as BUGHATCH, a Metasploit DNS Stager, Wedgecut—an additional enumeration tool, and BURNTCIGAR—a process killer with kernel-level capabilities. Alongside these new tools, the Cuba actors have remained devoted to their established favorites. This entails employing well-known techniques like ZeroLogon CVE-2020-1472 for exploitation, while consistently leveraging tools such as PsExec, Cobalt Strike, and living-off-the-land binaries (LOLBins) like cmd.exe, powershell.exe rundll32.exe, ping.exe, net.exe, and nltest.exe.

In a documented intrusion attributed to Cuba, BlackBerry's findings revealed that the attackers had effectively employed compromised credentials to establish an RDP connection. BlackBerry noted, "This login was achieved without evidence of prior invalid login attempts, nor evidence of techniques such as brute-forcing or exploitation of vulnerabilities. This suggests that the attacker likely obtained valid credentials through alternative malicious methods prior to launching the attack." Subsequently, the attackers leveraged LOLBin binaries to execute batch scripts and exploited a vulnerable driver through a new Windows service, thereby initiating reconnaissance activities within the network. Furthermore, they exploited vulnerabilities associated with NetLogon and Veeam, all while deploying a range of other malicious tools. While Cuba ransomware activity demonstrated consistency throughout the year, BlackBerry highlighted intermittent periods of downtime on Cuba's data leak site. The pattern involved the gang intermittently posting new victims, only to then go "dark" again for a time. Despite their periods of inactivity, Cuba ransomware activity continues to be a significant concern within the threat landscape, as the attackers have maintained their presence for the past four years.