FBI, CISA release cybersecurity advisory on Cuba ransomware hackers, covers latest IOCs and TTPs

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) rolled out on Thursday a joint cybersecurity advisory that disseminates known Cuba ransomware indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with Cuba ransomware hackers. While updating an FBI advisory released last December on the IOCs associated with the Cuba ransomware, the current advisory covers the hackers, who have been identified through FBI investigations, third-party reporting, and open-source reporting. 

“Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase,” the advisory said. “FBI has observed Cuba ransomware actors continuing to target U.S. entities in the following five critical infrastructure sectors: Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.” 

As of August this year, the FBI has identified that Cuba ransomware actors have compromised over 100 entities worldwide, demanded over US$145 million, and received over $60 million in ransom payments. “This year, Cuba ransomware actors have added to their TTPs, and third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors,” the advisory added. 

The FBI has previously disclosed that the Cuba ransomware hackers have leveraged known vulnerabilities in commercial software, phishing campaigns, compromised credentials, and legitimate remote desktop protocol (RDP) tools to gain initial access to dozens of entities in multiple critical infrastructure sectors. After gaining initial access, the hackers distributed Cuba ransomware on compromised systems through Hancitor—a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks. 

“Since spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims,” the advisory said. “Cuba ransomware actors have exploited known vulnerabilities and weaknesses and have used tools to elevate privileges on compromised systems.” 

Palo Alto Networks Unit 42 identified that the Cuba ransomware hackers have exploited CVE-2022-24521 in the Windows Common Log File System (CLFS) driver to steal system tokens and elevate privileges. They also used a PowerShell script to identify and target service accounts for their associated Active Directory Kerberos ticket, and then collected and cracked the Kerberos tickets offline via Kerberoasting. 

Additionally, the ransomware hackers used a tool, called KerberCache, to extract cached Kerberos tickets from a host’s Local Security Authority Server Service (LSASS) memory. Unit 42 also discovered that the hackers used a tool to exploit CVE-2020-1472, also known as ZeroLogon, to gain domain administrative privileges. The tool and its intrusion attempts have been reported related to Hancitor and Qbot, the advisory added. 

According to Palo Alto Networks Unit 42, Cuba ransomware actors use tools to evade detection while moving laterally through compromised environments before executing Cuba ransomware. Specifically, the actors leveraged a dropper that writes a kernel driver to the file system called ApcHelper[dot]sys, the advisory said. “This targets and terminates security products. The dropper was not signed; however, the kernel driver was signed using the certificate found in the LAPSUS NVIDIA leak.”

In addition to deploying ransomware, the hackers have used ‘double extortion’ techniques, in which they exfiltrate victim data, demand a ransom payment to decrypt it, and threaten to publicly release it if a ransom payment is not made.

The joint advisory added that since spring 2022, third-party and open-source reports have identified an apparent link between Cuba ransomware actors, RomCom RAT actors, and Industrial Spy ransomware actors.  

According to Palo Alto Networks Unit 42, Cuba ransomware actors began using RomCommalware, a custom RAT, for command and control (C2). Additionally, Cuba ransomware hackers may also be leveraging Industrial Spy ransomware. According to third-party reporting, suspected Cuban ransomware hackers compromised a foreign healthcare company. The threat actors deployed Industrial Spy ransomware, which shares distinct similarities in configuration to Cuba ransomware. Before deploying the ransomware, the hackers moved laterally using Impacket and deployed the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a C2 server. 

The advisory also disclosed that Cuba ransomware actors initially used their leak site to sell stolen data; however, around May this year, the hackers began selling their data on Industrial Spy’s online market for selling stolen data.

RomCom hackers have targeted foreign military organizations, IT companies, food brokers, and manufacturers, the advisory said. The hackers copied legitimate HTML code from public-facing webpages, modified the code, and then incorporated it in spoofed domains, which allowed the RomCom actors to host counterfeit Trojanized applications for SolarWinds Network Performance Monitor (NPM), KeePass password manager, PDF Reader Pro, (by PDF Technologies, Inc., not an Adobe Acrobat or Reader product), and Advanced IP Scanner software. The CSA also detected the deployment of the RomCom RAT as the final stage. 

FBI and CISA recommend network defenders a host of mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Cuba ransomware. The agencies recommend implementing a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location, requiring all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.

Furthermore, organizations are required to adopt multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems, while keeping all operating systems, software, and firmware up to date. Additionally, organizations must segment networks to prevent the spread of ransomware, identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool, and install, regularly update, and enable real-time detection for antivirus software on all hosts.

The advisory also called for offline backups of data and regularly maintained backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data. Additionally, it suggests ensuring that all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.