A new campaign linked to the ransomware Cuba it is rapidly spreading online, taking advantage of a complex and articulated strategy.
According to team experts Threat Research and Intelligence Of BlackBerrythis operation is involving critical infrastructure in the American territory, preferring instead aziende IT in South America. Although no cases have been registered in Europe at the moment, it is not certain that this campaign will move its sights on the old continent in the near future.
The operation, identified in the course of June 2023goes to exploit a security flaw identified three months earlier on the products Veeam Backup & Replication (code name CVE-2023-27532). The vulnerability, among other things, has already been exploited by a group of cybercriminals.
WithSecureIndeed, he reported that Fin7 (another group related to ransomware environment), actively exploited CVE-2023-27532 for its illicit purposes.
How the new Cuba ransomware spread tactic works
For the spread of Cuba ransomware, the primary access vector used is a compromise of administrator credentials via RDP.
Once a first access is obtained, a downloader, created by the group itself, is loaded onto the compromised machine and called BugHatch. This goes to establish communication with the command server, downloading further file DLL and running the appropriate commands.
To carry out the attack successfully, Cuba adopts the now widespread technique BYOVD (Bring Your Own Vulnerable Driver) to disable the endpoint protection tools. Also, use the tool known as BurntCigar in order to terminate kernel processes related to the security and safety context of the machine.
According to some investigations, the gang of cybercriminals we are talking about is originally from Russia. This inference is drawn from the fact that their ransomware attacks would exclude devices that use a Russian-language keyboard layout. The group, present on the scene for four years, is today one of the most active in the entire sector.
