Cuba Ransomware Group Steals Credentials Via Veeam Exploit

Written by

A notorious Russian-speaking ransomware group has updated its attack tooling to include a Veeam exploit designed to harvest logins, according to BlackBerry.

The security-focused vendor said its discovery came from investigations into attacks by the Cuba group on a US critical national infrastructure provider and a South American IT integrator.

Now in its fourth year of operation, the group appears to be using a slightly tweaked set of tactics, techniques and procedures (TTPs) blending old and new tools and methods.

Among the new discoveries BlackBerry made was Cuba’s exploitation of CVE-2023-27532, which impacts Veeam Backup & Replication software, and is being used to steal credentials from configuration files on the victim’s device.

Read more on the Cuba group: Ukraine Warns of Cuba Ransomware Campaign​

“The exploit works by accessing an exposed API on a component of the Veeam application – Veeam.Backup.Service.exe,” said BlackBerry. “This vulnerability exists on any version of the Veeam Backup & Replication software prior to the version 11a (build 11.0.1.1261 P20230227) and version 12 (build 12.0.0.1420 P20230223).”

The bug was also exploited by the FIN7 group back in March, BlackBerry added.

Elsewhere, Cuba exploited a legacy flaw in Microsoft NetLogon (CVE-2020-1472) and used custom and off-the-shelf tools such as custom downloader BugHatch, a Metasploit DNS stager, host enumeration tool Wedgecut, BurntCigar malware and numerous evasive techniques including Bring Your Own Vulnerable Driver (BYOVD).

Initial access in these studied compromises came from an administrator-level login via Remote Desktop Protocol (RDP). It’s likely that the Cuba group bought this from an initial access broker (IAB) or achieved it via vulnerability exploitation, BlackBerry said.

A joint advisory issued by the US authorities last year claimed Cuba ransomware had compromised around 100 organizations by August 2022, receiving as much as $60m in payments.

What’s hot on Infosecurity Magazine?