BlackBerry details Cuba ransomware hackers using new tools targeting US critical infrastructure

BlackBerry has recently discovered and documented new tools used by the Cuba ransomware threat group. The targets of this campaign included a critical infrastructure company in the U.S. and a systems integrator from Latin America. The BlackBerry Threat Research and Intelligence team investigated a campaign by the hacker group conducted in June that culminated in these attacks while providing an in-depth analysis of the latest evolution in tactics, techniques, and procedures (TTPs) utilized by the Cuba threat group.

“Due to the very nature of campaigns that utilize ransomware, it is simple to conclude that the threat actor behind Cuba ransomware is financially motivated,” the BlackBerry team, identified in its latest blog post. “Based on the aforementioned linguistic and text-based details documented by researchers at Profero, including the termination of execution on machines that have Russian language or keyboard layout present, it’s highly likely the threat actor/s behind it are Russian-speaking.” 

The research team added that another significant clue to the Cuba group’s origins is the fact that throughout the whole course of the ransomware’s existence, its operator’s choice of victims has been predominantly Western-based (or allied), democratic, and anglophone countries.

BlackBerry also found two exploits deployed in this campaign, which align with previously seen TTPs from this group. The difference is that, as we know, this is the first time the Cuba threat actor used the vulnerable process Veeam CVE-2023-27532 loophole.

The first vulnerability, CVE-2020-1472 — NetLogon, involves Microsoft’s NetLogon protocol (MS-NRPC) that allows for an escalation of privileges against active directory (AD) domain controllers (DC) should an attacker use MS-NRPC to create a vulnerable connection to obtain admin access.

Dubbed ‘ZeroLogon’ due to the initialization vector (IV) in the ‘logon’ process being set all to zeros instead of random numbers, if successfully exploited, a threat actor could potentially compromise and take control of a vulnerable domain, according to the researchers. “The binary used to exploit this vulnerability in this campaign is the same one previously used by the Cuba Operators across multiple attacks from 2022 to present.”

The CVE-2023-27532 Veeam vulnerability affects the legitimate Veeam Backup & Replication software, allowing an attacker to potentially gain access to the credentials stored within the configuration file on the victim’s device, the researchers detailed. “It is exploitable via the Veeam backup service, which runs on the default TCP port of 9401. Several threat actors exploited this CVE when it was discovered, such as the Fin7 group in late March 2023.”

Furthermore, the exploit works by accessing an exposed API on a component of the Veeam application — Veeam.Backup[dot]Service[dot]exe. “This vulnerability exists on any version of the Veeam Backup & Replication software prior to the version 11a (build 11.0.1.1261 P20230227) and version 12 (build 12.0.0.1420 P20230223).”

The Cuba ransomware is currently in the fourth year of its operation and shows no sign of slowing down. In the first half of 2023 alone, the operators behind Cuba ransomware were the perpetrators of several high-profile attacks across disparate industries. Believed to be of Russian origin, the Cuba threat group deployed a set of malicious tools that overlapped with previous campaigns associated with this attacker, as well as introduced new ones, including the first observed use of an exploit for the Veeam vulnerability.

BlackBerry’s analysis of the attack that it analyzed led the team to a ‘credentials reuse’ scheme. “The first evidence of a compromise in the targeted organization was a successful Administrator-level login via Remote Desktop Protocol (RDP). This login was achieved without evidence of prior invalid login attempts, nor evidence of techniques such as brute-forcing or exploitation of vulnerabilities. This means that the attacker likely obtained the valid credentials via some other nefarious means preceding the attack,” it added.

Previous Cuba attacks have exploited vulnerabilities or Initial Access Brokers (IABs) to procure access, the post added.

The researchers said that in early June, “as part of our ongoing monitoring of the Cuba threat group, we found evidence of an attack on a U.S.-based organization and decided to investigate. We uncovered a complete set of TTPs, many overlapping with previously seen Cuba attacks, and which encompassed a comprehensive attack toolset.”

They added that these included BUGHATCH, a custom downloader, BURNTCIGAR, an antimalware killer, Metasploit, and Cobalt Strike frameworks, along with numerous Living-off-the-Land Binaries (LOLBINS). “We also found several exploits that have freely available Proof-of-Concept (PoC) code.”

Cuba ransomware, also known as COLDDRAW ransomware, first appeared on the threat landscape in 2019 and has built up a relatively small but carefully selected list of victims in the years since. It is also known as Fidel ransomware, due to a characteristic marker placed at the beginning of all encrypted files. This file marker is used as an indicator to both the ransomware and its decoder that the file has been encrypted.

“Despite its name and the Cuban nationalistic styling on its leak site, it unlikely has any connection or affiliation with the Republic of Cuba,” the BlackBerry team assessed. “It has previously been linked to a Russian-speaking threat actor by researchers at Profero due to some linguistic mistranslation details they uncovered, as well as the discovery of a 404 webpage containing Russian text on the threat actor’s own leak site.”

Based on the ‘strings analysis’ of the code used in this campaign, the researchers said that “we also found indications that the developer behind Cuba ransomware is Russian-speaking. That theory is further strengthened by the fact the ransomware automatically terminates its own execution on hosts that are set to the Russian language, or on those that have the Russian keyboard layout present.”

Like many ransomware operators, Cuba utilizes the double-extortion approach to ‘encourage’ victims to pay up, the BlackBerry team said. “Last fall, a joint advisory issued by U.S. law enforcement stated that as of August 2022, the Cuba ransomware group is believed to have compromised 101 entities, including 65 in the United States and 36 outside the United States. In that time it has demanded USD $145 million in ransom payments, and received up to USD $60 million.” 

According to the researchers, throughout the last four years, Cuba has used a similar set of core TTPs with a slight shift from year to year. These typically consist of LOLBins (executables that are a part of the operating system and can be exploited to support an attack), exploits, commodity and custom malware, and popular legitimate pen-testing frameworks such as Cobalt Strike and Metasploit.

“Additionally, at one point in 2022, the group appeared to have developed a relationship with the operators of the Industrial Spy marketplace, using their platform as a leak site, based on similarities in both operators’ ransomware,” the post disclosed. “Also worthy of note is that Cuba’s own leak site has gone on and offline intermittently during the last couple of months. Based on our observations, the site comes back online whenever a new victim is allegedly compromised and listed, before going dark again.”

In conclusion, the BlackBerry researchers said that its investigation indicates that the Cuba threat group continues to target entities in crucial sectors, such as critical infrastructure.

“The Cuba ransomware operators continue to recycle network infrastructure and use a core set of TTPs that they have been subtly modifying from campaign to campaign, often adopting readily available components to upgrade their toolset whenever the opportunity arises,” the team added. “An example of this is a change in the use of exploits for key vulnerabilities; whereas they have been previously seen exploiting CVE-2020-1472/Zerologon, this appears to be the first time they targeted CVE-2023-27532/Veeam.”

In addition, “the threat actor has made some under-the-hood modifications to some of their custom tooling, likely as a mechanism to impede both detection and analysis, as was seen with the inclusion of the hashing functionality to BURNTCIGAR’s codebase. Any updates are likely designed to optimize its execution during campaigns, and we expect to see persistent activity from this group in the near future.”

The researchers recommend implementing an updated patch management program, implementing an email gateway to prevent phishing and block spam emails, proper network segmentation to slow or contain Cuba ransomware attacks, and implementing a robust data backup, deploying an AI-equipped endpoint protection platform. They also recommend conducting regular security awareness training, implementing a modern firewall, and enforcing VPN and multi-factor authentication (2FA) solutions for internal network connections.

Earlier this month, Recorded Future’s Insikt Group published new research identifying RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. The group’s operations span 17 countries in Asia, Europe, and North America from 2021 to 2023, targeting academia, aerospace, government, media, telecommunications, and research sectors.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.