Cuba ransomware hackers target close to 50 entities across five US critical infrastructure sectors

Cuba ransomware

The Federal Bureau of Investigation (FBI) has said that ransomware hackers, it refers to as, ‘Cuba ransomware’ hackers have compromised at least 49 entities in five critical infrastructure sectors, including organizations in the financial, government, healthcare, manufacturing, and information technology industries. The data released by the federal agency was as of early November and may include other critical infrastructure sectors. 

The Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as remote access trojans (RATs) and other types of ransomware, onto victims’ networks, the FBI said in its alert. “Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Subsequently, Cuba ransomware actors use legitimate Windows services—such as PowerShell, PsExec, and other unspecified services—and then leverage Windows Admin privileges to execute their ransomware and other processes remotely,” it added.

The Cuba ransomware hackers are said to compromise a victim network through the encryption of target files with the ‘.cuba’ extension. Cuba ransomware attackers have demanded at least US$74 million and received at least $43.9 million in ransom payments, the FBI alert added.

According to the technical information released by the federal agency, the Cuba ransomware, upon compromise, installs and executes a CobaltStrike beacon as a service on the victim’s network via PowerShell. Once installed, the ransomware downloads two executable files, which include ‘pones.exe’ for password acquisition and ‘krots.exe,’ also known as KPOT, enabling the Cuba ransomware hackers to write to the compromised system’s temporary (TMP) file. Once the TMP file is uploaded, the ‘krots.exe’ file is deleted and the TMP file is executed in the compromised network. 

“The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system,” the FBI alert said. “Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com.” 

Further, Cuba ransomware hackers use MimiKatz malware to steal credentials, and then use RDP to log into the compromised network host with a specific user account. Once the RDP connection is complete, the Cuba ransomware hackers use the CobaltStrike server to communicate with the compromised user account. 

The FBI also said that one of the initial PowerShell script functions allocates memory space to run a base64-encoded payload. Once this payload is loaded into memory, it can be used to reach the remote command-and-control (C2) server and then deploy the next stage of files for the ransomware. The remote C2 server is located at the malicious URL ‘kurvalarva.com.’ 

The federal agency is seeking any information that can be shared, including boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file, though it does not encourage paying ransom to the cyber attackers. 

The FBI also released another advisory along with the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability in Zoho ManageEngine ServiceDesk Plus, an IT help desk software with asset management capability. The unauthenticated remote code execution (RCE) vulnerability affects all ServiceDesk Plus versions up to, and including, version 11305, and was addressed by the update released by Zoho on Sept.16, for ServiceDesk Plus versions 11306 and above. 

Global security agencies including the FBI, CISA, the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) released last month a joint cybersecurity advisory warning of the ongoing malicious cyber activity by an APT group that has been associated with the Iranian government. The notice about the group, which is actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, also provides observed tactics and techniques, and indicators of compromise (IOCs) that have likely been associated with the Iranian government-sponsored APT activity.

The German cybersecurity authority BSI warns of ransomware attacks over the Christmas holidays, fearing the return of the Emotet botnet return, according to a Security Affairs report. “During this period offices are often closed and employees are at home, for this reason, their organizations are more exposed to ransomware attacks. The agency also warns of attacks that could exploit vulnerabilities in Microsoft Exchange to compromise mail servers of German organizations,” it added.

The BSI has urged German organizations to patch their systems.

The security warnings to the critical infrastructure sector come as analyst firm Gartner said that by 2025, 30 percent of critical infrastructure organizations will experience a security breach that will result in the halting of operations- or mission-critical cyber-physical systems. Critical infrastructure security has become a primary concern for governments around the world, with the U.S., U.K. EU, Canada, and Australia each identifying sectors deemed critical, though their definitions vary.

A Gartner survey showed that 38 percent of respondents are expected to increase spending on operational technology (OT) security by between 5 and 10 percent in 2021, with another 8 percent of respondents predicting an increase of above 10 percent. However, this may not be enough to make up for underinvestment in this area over many years, according to Gartner.

“Besides the need to catch up, there is a growing number of increasingly sophisticated threats,” Ruggero Contu, research director at Gartner, said in a media statement. “Owners and operators of critical infrastructure are also struggling to prepare for the coming increased oversight.”

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related