BlackBerry reports Cuba ransomware has rolled out new tools in campaigns targeting U.S. critical infrastructure and a Latin American IT integrator, including the first observed use of CVE-2023-27532 against Veeam. The findings detail evolving TTPs and toolsets, indicating the group remains active and potentially Russian-speaking. #CubaRansomware #VeeamCVE27532
Keypoints
- The Cuba ransomware group deployed new tools (e.g., BUGHATCH, BURNTCIGAR) alongside Metasploit and Cobalt Strike, expanding its attack toolkit.
- The campaign targeted a U.S. critical infrastructure organization and a Latin American IT integrator, with CVE-2023-27532 (Veeam) observed as part of the attacks.
-
MITRE Techniques
- [T1133] External Remote Services – Initial access via Administrator-level login using Remote Desktop Protocol (RDP). Quote: “the first evidence of a compromise in the targeted organization was a successful Administrator-level login via Remote Desktop Protocol (RDP).”
- [T1078.003] Valid Accounts – Credential reuse allowing access; Quote: “the attacker likely obtained the valid credentials via some other nefarious means preceding the attack.”
- [T1218.011] Signed Binary Proxy Execution: Rundll32 – BUGHATCH loaded and executed via rundll32.exe. Quote: “by invoking specific exports through the ‘rundll32.exe’ utility and specific commands.”
- [T1059.001] PowerShell – BUGHATCH delivered via a PowerShell dropper or PowerShell-based script. Quote: “PowerShell dropper … loaded into memory by a PowerShell-based script.”
- [T1105] Ingress Tool Transfer – BUGHATCH downloads payloads (small PE files or PowerShell scripts). Quote: “downloads a payload of the attacker’s choosing, typically small PE files or PowerShell scripts.”
- [T1071.004] DNS – Metasploit DNS Stager uses DNS TXT queries to fetch payloads. Quote: “The shellcode performs a TXT query upon a DNS record(s) set and then executes a returned payload.”
- [T1090] Proxy – TOR-based C2 infrastructure and onion leak site used to hide communications. Quote: “The Cuba operators maintain a ‘onion’ webpage located on the dark web, which is accessible via the TOR network.”
- [T1016.001] System Network Configuration Discovery – Wedgecut ICMP-based host enumeration to check if hosts are online. Quote: “host enumeration tool that accepts an argument consisting of a list of IP addresses or hosts, then uses ICMP packets to check whether they are online.”
- [T1562.001] Impair Defenses – BYOVD and endpoint protection termination; group policy modifications. Quote: “defense evasion techniques … BYOVD” and “uninstall endpoint protection manually.”
- [T1212] Credential Access – Veeam CVE-2023-27532 exploit enables access to credentials stored in configuration. Quote: “allows an attacker to potentially gain access to the credentials stored within the configuration file.”
- [T1068] Privilege Escalation – NetLogon (ZeroLogon) exploitation (CVE-2020-1472) to escalate. Quote: “CVE-2020-1472 — NetLogon … ZeroLogon … could potentially compromise and take control of a vulnerable domain.”
- [T1190] Exploit Public-Facing Application – Veeam CVE-2023-27532 exploited via exposed API in Veeam.Backup.Service.exe to access credentials. Quote: “This vulnerability exists on any version of the Veeam Backup & Replication software prior to …”
Indicators of Compromise
- [Hash] Hashes (sha-256) – 58ba30052d249805caae0107a0e2a5a3cb85f3000ba5479fafb7767e2a5a78f3, 3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0, and 6 more hashes
- [FileName] Agent32.bin BUGHATCH – example of downloader payload
- [FileName] netpingall.exe – ICMP-based discovery tool used in network enumeration
- [FileName] procexp152.sys – part of the loader/driver set
- [FileName] aswarpot.sys – kernel-level process terminator driver
- [FileName] KApcHelper_x64.sys – loader/driver used with kill-list capabilities
- [Domain] hxxp://cuba—————–REDACTED——————–[.]onion – Cuba leak site domain