Cuba ransomware gang looking for unpatched Veeam installations: Report

The Cuba ransomware gang has tweaked its attack strategy to go after IT environments that haven’t patched a recently discovered vulnerability in Veeam Software’s backup solutions.

Usually the gang exploits the three-year old Windows Server Netlogon vulnerability (CVE-2020-1472) known as Zerologon, BlackBerry said in a report Thursday. However, an analysis of a series of attacks in June, including a critical infrastructure organization in the United States and an IT integrator in Latin America, shows the gang is now also targeting the Veeam CVE-2023-27532 vulnerability.

Other researchers call the strain of ransomware used by this group Colddraw or Fidel. It first appeared in 2019 and, according to BlackBerry, has built up a relatively small but carefully selected list of victims in the years since. As of August 2022, the group had compromised 101 organizations, 65 of them in the United States.

Based on the strings analysis of the code used in the most recent campaign, BlackBerry found indications that the developer behind Cuba ransomware is Russian-speaking. That theory is further strengthened, the report says, by the fact the ransomware automatically terminates its own execution on hosts that are set to the Russian language, or on those that have the Russian keyboard layout present.

IT defenders should also note that, in this particular campaign, the Cuba gang somehow got hold of an organization’s administrator credentials. The attackers logged in directly through Windows Remote Desktop Protocol (RDP). There was no evidence of previous invalid login attempts, or evidence of techniques such as brute-forcing or exploitation of vulnerabilities. This means, BlackBerry concluded, that the attacker likely obtained the valid credentials via some other method.

Cuba’s toolkit consists of various custom and off-the-shelf parts. These include what BlackBerry calls BugHatch, a lightweight custom downloader likely developed by the Cuba ransomware members, as it has only been seen operated by them in the wild. It establishes a connection to a command-and-control server and downloads a payload of the attacker’s choosing, typically small PE files or PowerShell scripts. BugHatch can…