In June, an organization servicing critical infrastructure in the United States fell victim to a cyberattack by the Russian ransomware group “Cuba.” Despite utilizing multiple vulnerabilities and sophisticated techniques, the attack ultimately failed.
Cuba is a financially motivated threat actor known for conducting high-value ransomware attacks, with a primary focus on targeting organizations in the US. In a recent campaign uncovered by Blackberry, Cuba targeted an American critical infrastructure provider as well as a systems integrator in Latin America.
During the attack, the group exploited two vulnerabilities – CVE-2020-1472, also known as “Zerologon,” and CVE-2023-27532. Additionally, Cuba deployed two of its signature malware programs, BUGHATCH and BURNTCIGAR, as well as off-the-shelf tools like Metasploit and Cobalt. The group employed various other intrusion and evasion techniques to maintain persistence within the target’s network.
The initial signs of the attack emerged in May when an administrator-level login was performed on the target’s network using Remote Desktop Protocol (RDP). There were no indications of prior failed login attempts or brute-forcing methods. While it remains unclear how the attacker obtained valid credentials, it is worth noting that Cuba has previously relied on initial access brokers to acquire credentials.
Once inside the network, Cuba deployed BUGHATCH, a custom downloader that establishes a connection to a command-and-control (C2) server. BUGHATCH then downloads various attacker payloads and can execute files and commands. In this particular attack, BUGHATCH downloaded Metasploit to solidify its foothold within the target environment.
To escalate privileges and gain administrator access, the group exploited the Zerologon vulnerability found in Windows’ Netlogon Remote Protocol. However, Cuba did not stop at one vulnerability. They also took advantage of a “high” severity bug in Veeam backup software, aiming to extract credentials stored within the software’s configuration file.
Cuba’s second proprietary malware, BURNTCIGAR, played a crucial role in executing Bring Your Own Vulnerable Driver (BYOVD) attacks. This malware leverages I/O control codes used for communication with drivers to terminate kernel-level processes. BURNTCIGAR effectively eliminated over 200 processes, particularly those associated with anti-malware and endpoint protection.
Throughout the attack, Cuba ensured that their actions went unnoticed by moving slowly and deliberately over a two-month period. Their careful approach aimed to avoid raising suspicion by introducing delays between each action taken within the victim’s network. This strategy allowed them to evade detection for an extended period.
Cuba, discovered in 2019, has become one of the most profitable ransomware groups globally. Data from the Cybersecurity and Infrastructure Security Agency (CISA) reveals that as of August 2022, the group compromised 101 entities, including 65 in the US and 36 elsewhere. Their ransom demands totaled $145 million, with approximately $60 million received.
Despite their references to the Cuban Revolution in their code and leak site, substantial evidence suggests that the members of Cuba are of Russian origin. Translation errors in ransom notes and the group’s website, as well as features specifically designed for disabling the malware on systems operating in Russian or with a Russian keyboard, all point to the group’s true origins.
To defend against the likes of the Russian-based Cuba, experts recommend organizations prioritize detection technologies, prompt patching, and investment in advanced threat intelligence. In the event of a successful breach, quick and decisive action is crucial to mitigate potential losses.
The failed cyberattack by Cuba serves as a reminder of the persistent threat posed by ransomware groups and the importance of robust cybersecurity measures for critical infrastructure providers and organizations worldwide. As threat actors continue to evolve their tactics, organizations must remain vigilant and proactive in mitigating risks posed by cybercriminals.