Ransomware gang is exploiting flaws in backup software to attack infrastructure

Apparently, Cuba excludes endpoints with the Russian keyboard layout from its attacks and has a number of Russian 404 pages on its infrastructure. Furthermore, it targets (almost exclusively) organizations in the Western world, leading researchers to conclude that the attackers are likely state-aligned.

Critical targets

In this campaign, the group targeted “critical infrastructure organizations” in the United States, as well as IT firms in Latin America, although no names were mentioned. 

To target these firms, Cuba abused CVE-2023-27532, a high-severity flaw discovered in Veeam Backup & Replication (VBR) tools. By using previously obtained administrator credentials, the attackers use RDP to infiltrate the target network and drop their custom downloader BugHatch. 

A couple of additional steps are required before the network is fully compromised, though, including the deployment of a vulnerable driver to turn off endpoint protection tools.

Given that the Veeam flaw has been around for a few months now, as well as the fact that a proof-of-concept is already available on the internet, deploying a patch is pivotal at this moment, warns BleepingComputer. 

The publication added that Cuba also exploits CVE-2020-1472 ("Zerologon"), a vulnerability in Microsoft's NetLogon protocol, which gives the attackers privilege escalation against AD domain controllers.

Last time we heard from Cuba was in mid-April last year, when cybersecurity researchers from Mandiant observed the group abusing flaws in Microsoft Exchange to compromise corporate endpoints, harvest data, and deploy the COLDDRAW malware. 

The experts’ report stated the group used ProxyShell and ProxyLogon vulnerabilities at least since August 2021 to plant various web shells, Remote Access Trojans (RAT), and backdoors on compromised systems. 

• Check out the best backup tools around

Via: BleepingComputer