The BlackBerry Research & Intelligence team has recently discovered and documented new tools used by the Cuba ransomware threat group. This group has been active for four years and remains a significant threat. In the first half of 2023, they were responsible for several high-profile attacks across various industries. One of their recent campaigns in June targeted an organization within the critical infrastructure sector in the U.S. and an IT integrator in Latin America. The group, believed to be of Russian origin, deployed malicious tools, some of which were previously associated with them, and introduced new ones, including an exploit for the Veeam vulnerability CVE-2023-27532.
Who Are the Cuba Ransomware Group?
Cuba ransomware, also known as COLDDRAW or Fidel ransomware, emerged in 2019. It has targeted a select list of victims over the years. Despite its name and Cuban-themed leak site, it likely has no connection to the Republic of Cuba. Evidence suggests that the group behind this ransomware is Russian-speaking, as the ransomware terminates its execution on systems set to the Russian language or with a Russian keyboard layout. The group employs a double-extortion method to pressure victims into paying ransoms. They have reportedly compromised 101 entities, demanding up to USD $145 million in ransoms and receiving up to USD $60 million.
The Cuba ransomware group uses a combination of custom and readily available tools. Some of the tools they deployed in their recent campaign include BUGHATCH, a custom downloader, BURNTCIGAR, an antimalware killer, Metasploit, and Cobalt Strike frameworks. They also utilized Living-off-the-Land Binaries (LOLBINS) and several exploits with available Proof-of-Concept (PoC) code.
The group’s attack vector often involves credential theft via Remote Desktop Protocol (RDP). They also exploit vulnerabilities or use Initial Access Brokers (IABs) to gain access. In this campaign, they exploited the NetLogon vulnerability (CVE-2020-1472) and the Veeam vulnerability (CVE-2023-27532).
Tactics, Techniques, and Procedures (TTPs) of the Cuba Ransomware Group
- Initial Access:
- The group often gains initial access through credential theft, particularly via the Remote Desktop Protocol (RDP). They have successfully logged in as administrators without any evidence of prior invalid login attempts, suggesting that they might have procured valid credentials through other means before the attack.
- Techniques used include T1133 (External Remote Services) and T1078.003 (Valid Accounts: Local Account).
- The group deploys various tools for execution, including BUGHATCH, a custom downloader, and BURNTCIGAR, an antimalware killer. They also use Metasploit and Cobalt Strike frameworks.
- Techniques observed include T1106 (Native API), T1204.002 (User Execution: Malicious File), T1059.001 (Command and Scripting Interpreter: PowerShell), and T1059.003 (Command and Scripting Interpreter: Windows Command Shell).
- Defense Evasion:
- The group employs numerous defense evasion techniques. They attempt to uninstall endpoint protection manually, modify group policies, and notably use the Bring Your Own Vulnerable Driver (BYOVD) technique.
- Techniques include T1211 (Exploitation for Defense Evasion), T1548.002 (Bypass User Account Control: Elevated Execution with Prompt), T1140 (Deobfuscate/Decode Files or Information), and T1562.001 (Impair Defenses: Disable or Modify Tools).
- Privilege Escalation:
- The group uses tools like PSexec to elevate privileges and pivot deeper within the network.
- Techniques include T1543.003 (Create or Modify System Process: Windows Service) and T1068 (Exploitation for Privilege Escalation).
- The group employs tools like
ping.exefor discovery and
cmd.exefor various purposes, such as lateral movement and domain controller enumeration.
- Techniques include T1124 (System Time Discovery), T1135 (Network Share Discovery), T1018 (Remote System Discovery), and T1083 (File and Directory Discovery).
- The group employs tools like
- Lateral Movement:
- Techniques include T1570 (Lateral Tool Transfer) and T1333 (Bypass User Account Control).
- Credential Access:
- Technique T1212 (Exploitation for Credential Access) was observed, especially with the exploitation of the Veeam vulnerability (CVE-2023-27532) that allows attackers to access credentials stored in a configuration file.
- The group maintains a command-and-control infrastructure for their operations. Techniques include T1219 (Remote Access Software), T1090.003 (Multi-Stage Channels: Use Alternate Protocol), and T1071.004 (Application Layer Protocol: DNS).
- Weaponization and Technical Overview:
- The group uses a mix of custom and off-the-shelf tools. They weaponize EXEs, DLLs, LOLBins, and use Metasploit, Cobalt Strike, and various exploits. Their attack vectors include credential theft and RDP, and they utilize network infrastructure components like TOR.
- The group has exploited the NetLogon vulnerability (CVE-2020-1472) and the Veeam vulnerability (CVE-2023-27532). The former allows for privilege escalation against active directory domain controllers, while the latter can expose credentials stored in the Veeam Backup & Replication software.
The Cuba ransomware group remains a significant threat, especially to critical infrastructure sectors. They continue to evolve their tactics, techniques, and procedures, often incorporating new tools and exploits into their campaigns. Their recent use of the Veeam vulnerability marks a new development in their operations. Organizations are advised to implement robust security measures, including up-to-date patch management, email gateway solutions, network segmentation, data backup solutions, AI-equipped endpoint protection platforms, security awareness training, modern firewalls, and Multi-Factor Authentication (2FA) solutions.
Ransomware attacks, like the ones orchestrated by the Cuba group, underscore the importance of proactive cybersecurity measures. The double-extortion method, where attackers not only encrypt data but also threaten to leak it, adds another layer of pressure on victims. This tactic has become increasingly popular among ransomware groups, making data confidentiality and integrity a top concern for organizations.
The fact that the Cuba group has been active for four years and continues to evolve its tactics is a testament to the persistence and adaptability of cybercriminals. Organizations must remain vigilant, continuously update their security protocols, and invest in employee training to recognize and respond to threats.
Moreover, the geopolitical implications of cyberattacks cannot be ignored. While the Cuba group’s connection to Russia is based on linguistic and technical evidence, nation-state-sponsored cyberattacks or cyber espionage activities are becoming more common. This blurs the lines between traditional warfare and cyber warfare, making international cooperation and cybersecurity diplomacy crucial in today’s digital age.