A ransomware gang known as Cuba is exploiting a high-severity vulnerability in enterprise backup solutions to deploy malware and steal login credentials, according to a report from BlackBerry’s Threat Research and Intelligence team. The hacking campaign began in early June, and the group behind it, Cuba, is suspected by some cybersecurity experts to have ties to the Russian government. This is supported by the fact that Cuba excludes endpoints with the Russian keyboard layout from its attacks and has several Russian 404 pages on its infrastructure. The group primarily targets organizations in the Western world, leading researchers to believe that the attackers are likely state-aligned.
In this campaign, Cuba targeted critical infrastructure organizations in the United States and IT firms in Latin America. The group exploited CVE-2023-27532, a high-severity flaw found in Veeam Backup & Replication (VBR) tools. Using previously obtained administrator credentials, the attackers infiltrated target networks via RDP and deployed their custom downloader BugHatch. Additional steps were needed to fully compromise the network, including deploying a vulnerable driver to disable endpoint protection tools.
The Veeam flaw has been known for several months, and a proof-of-concept is available online, making it crucial for organizations to deploy a patch. Cuba also exploits CVE-2020-1472 (“Zerologon”), a vulnerability in Microsoft’s NetLogon protocol, for privilege escalation against AD domain controllers. The group was previously observed in mid-April last year abusing flaws in Microsoft Exchange to compromise corporate endpoints, harvest data, and deploy the COLDDRAW malware.
Source: TechRadar
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.