In a concerning development, the Cuba ransomware group has broadened its scope by infiltrating previously untouched sectors while arming itself with sophisticated tools. Researchers at BlackBerry recently unveiled the extent of this expansion, revealing that the group, suspected to have ties with Russia, orchestrated a dual assault. In one instance, a critical U.S. infrastructure entity fell victim, while simultaneously, an IT integrator in Latin America faced the brunt of the attack.
Central to this aggressive campaign is the Cuba ransomware group‘s utilization of a potent toolkit, combining both custom-designed components and existing malicious software. The attackers demonstrated an alarming propensity for leveraging a credentials reuse scheme, with their initial foothold attributed to a successful administrative login through Remote Desktop Protocol (RDP). Among the array of tools deployed, noteworthy ones include BUGHATCH, a personalized downloader, and BURNTCIGAR, an anti-malware remover, alongside widely recognized tools like the Metasploit and Cobalt Strike frameworks.
However, what makes this assault even more insidious is the incorporation of Living-off-the-Land Binaries (LOLBINS) within the toolkit. These insidious elements facilitate a range of malicious activities, from delivering malware to conducting file operations and pilfering passwords. Furthermore, the attackers capitalized on two exploits: one targeting Microsoft’s NetLogon protocol (CVE-2020-1472) and another exploiting a novel vulnerability (CVE-2023-27532) in Veeam Backup & Replication software.
This revelation once again underscores the persistent and evolving threat posed by the Cuba ransomware group. Having surfaced in 2019, the group’s adaptability and brazen tactics highlight the urgency of cybersecurity measures. As evidenced by the successful exploitation of vulnerabilities like CVE-2023-27532, the need for prompt security updates is critical in safeguarding against such advanced cyber threats. Organizations must heed this warning and prioritize the installation of patches to prevent falling victim to the ever-expanding arsenal of ransomware attacks.