[ad_1]
.jpg)
In June, the Russian ransomware group “Cuba” attacked a corporation servicing US essential infrastructure. The cyberattack failed regardless of the group’s use of a number of CVEs, off-the-shelf instruments, distinctive malware applications, and evasion strategies.Cuba is a financially motivated risk actor recognized for large cash ransomware assaults primarily concentrating on US organizations. In its newest recognized marketing campaign found by Blackberry, it focused an American essential infrastructure supplier in addition to a programs integrator in Latin America.Within the course of, the gang exploited two vulnerabilities – CVE-2020-1472 “Zerologon” and CVE-2023-27532 – deployed two of its signature malwares – BUGHATCH and BURNTCIGAR – and two off-the-shelf software program applications – Metasploit and Cobalt – alongside lots extra applications and methods devoted to intrusion and evasion.How Cuba Wages Ransomware AttacksThe first signal that one thing was fallacious got here in Might, when an administrator-level login was carried out within the goal’s community utilizing Distant Desktop Protocol (RDP). There was no proof of any prior failed login makes an attempt, or any form of brute-forcing or exploiting vulnerabilities. Precisely how the attacker obtained legitimate credentials just isn’t clear, however the Blackberry researchers famous that Cuba has used preliminary entry brokers to acquire credentials up to now.As soon as contained in the community, Cuba deployed BUGHATCH, its personal customized downloader. BUGHATCH establishes a connection to a command-and-control (C2) server, then downloads attacker payloads. (It may well additionally execute recordsdata and instructions.) Certainly one of BUGHATCH’s downloads this time, for instance, was Metasploit, which it used to cement its foothold within the goal surroundings.To escalate privileges and acquire administrator entry, the group exploited Zerologon, the three-year-old vulnerability in Home windows’ Netlogon Distant Protocol. However Cuba did not cease with only one vulnerability – it additionally exploited a “excessive” severity 7.5 CVSS-scored bug within the Veeam backup software program, with the purpose of siphoning the credentials held inside its config file.Cuba’s second proprietary malware – BURNTCIGAR – is probably its most attention-grabbing, used to hold out Convey Your Personal Weak Driver (BYOVD) assaults. It exploits the I/O management codes used for speaking with drivers, with the intention to terminate kernel-level processes en masse. On this case, BURNTCIGAR eradicated over 200 processes largely related to anti-malware and endpoint merchandise.Past zeroing out anti-malware and endpoint protections, Cuba coated its tracks by transferring slowly and intentionally over a interval of two months inside the community.”It appears it was a part of the OpSec to not increase suspicion, by delaying between every motion inside the sufferer’s community. It is not like they have been working minute to minute, hour to hour. It is doing one thing after which simply ready for every week, after which doing one thing once more,” Bestuzhev explains.Who’s Cuba?Since its discovery in 2019, Cuba has been one of many world’s most worthwhile ransomware outfits. Based on knowledge from CISA, as of August 2022 the group compromised 101 entities, 65 within the US and 36 elsewhere, demanding altogether $145 million in ransom funds and receiving round $60 million.The group makes use of Cuban Revolution references and iconography in its code and its leak website, however ample proof suggests its members are, in reality, of Russian origin. Prior analysis revealed a translation mistake in a ransom be aware suggesting Russian language origins, in addition to a 404 error on the group’s web site which, translated from Russian, reads “Oh, that is 404! blablabla 404 blablabla.” Blackberry’s investigation uncovered additional hints of poor Russian translations, in addition to a characteristic for disabling the malware on any host laptop working in Russian or with a Russian keyboard.To defend in opposition to the Russian Cuba, Bestuzhev recommends that organizations place an emphasis on detection applied sciences, immediate and maybe automated patching, and investing in superior risk intelligence. And if all of that fails, then fast and decisive motion should be taken as a result of “if there’s a delay – due to the weekend, or a scarcity of sources – it could result in struggling big losses,” he warns.
[ad_2]