The notorious cybercriminal group “Cuba” is sharpening its tools as it escalates its attacks on pivotal US infrastructures and IT firms in Latin America. BlackBerry’s security team has recently shed light on the group’s latest weapon of choice – an exploitation of a vulnerability labeled CVE-2023-27532.
This weakness, embedded within Veeam Backup & Replication (VBR) products, has had its exploit code in the wild since March 2023. Alarmingly, this is the very vulnerability previously harnessed by the FIN7 group for their ransomware endeavors.
Detailing the group’s modus operandi, the BlackBerry team revealed that Cuba kickstarts its incursion by leveraging pilfered administrator credentials, which gives them access to systems via the Remote Desktop Protocol (RDP), without needing to brute-force passwords. The group then employs its proprietary “BugHatch” downloader tool, paving the way for a connection with the management server to either download DLL files or run essential commands.
The attackers deploy a DNS stager within Metasploit to infiltrate their target environment, which, upon execution, decrypts and runs shellcode directly in RAM. To further their attack and neutralize defenses, Cuba utilizes the BYOVD (Bring Your Own Vulnerable Driver) technique and wields the “BurntCigar” tool to shut down security processes.
But the group’s weaponry doesn’t end here. They’re also taking advantage of the CVE-2020-1472 vulnerability, infamously known as “Zerologon”, within Microsoft’s NetLogon protocol, granting them superior access to Active Directory domain controllers. They complement this with Cobalt Strike beacons and various “lolbins” for seamless remote system control.
Although financial gain seems to be Cuba’s main motivation, US security experts are raising the alarm. The group has been a consistent cyberthreat for nearly half a decade, and the integration of CVE-2023-27532 into their toolkit makes them even more formidable. These experts strongly advocate for prompt security updates, especially for Veeam products, emphasizing that the know-how to exploit this vulnerability is already accessible to the public.