In June, Russian ransomware group Cuba attacked an organization servicing US critical infrastructure. The cyberattack failed despite the group’s use of multiple CVEs, off-the-shelf tools, unique malware programs, and evasion methods.
Cuba is a financially motivated threat actor known for big money ransomware attacks primarily targeting US organizations. In its latest known campaign discovered by BlackBerry, it targeted an American critical infrastructure provider as well as a systems integrator in Latin America.
In the process, the gang exploited two vulnerabilities (CVE-2020-1472 “Zerologon” and CVE-2023-27532), deployed two of its signature malwares (BUGHATCH and BURNTCIGAR) and two off-the-shelf software programs (Metasploit and Cobalt), alongside plenty more programs and techniques dedicated to intrusion and evasion.
How Cuba Wages Ransomware Attacks
The first sign that something was wrong came in May, when an administrator-level login was performed in the target’s network using Remote Desktop Protocol (RDP). There was no evidence of any prior failed login attempts or any kind of brute-forcing or exploiting vulnerabilities. Exactly how the attacker obtained valid credentials is not clear, but the BlackBerry researchers noted that Cuba has used initial access brokers to obtain credentials in the past.
Once inside the network, Cuba deployed BUGHATCH, its own custom downloader. BUGHATCH establishes a connection to a command-and-control (C2) server, then downloads attacker payloads. (It can also execute files and commands.) One of BUGHATCH’s downloads this time, for example, was Metasploit, which it used to cement its foothold in the target environment.
To escalate privileges and obtain administrator access, the group exploited Zerologon, a 3-year-old vulnerability in Windows’ Netlogon Remote Protocol. But Cuba didn’t stop with just one vulnerability – it also exploited a high severity 7.5 CVSS-scored bug in the Veeam backup software, with the goal of siphoning the credentials held within its config file.
Cuba’s second proprietary malware – BURNTCIGAR – is perhaps its most interesting, used to carry out Bring Your Own Vulnerable Driver (BYOVD) attacks. It exploits the I/O control codes used for communicating with drivers in order to terminate kernel-level processes en masse. In this case, BURNTCIGAR eliminated more than 200 processes largely associated with anti-malware and endpoint products.
Beyond zeroing out anti-malware and endpoint protections, Cuba covered its tracks by moving slowly and deliberately over a period of two months inside of the network.
“It seems it was part of the OpSec not to raise suspicion, by delaying between each action inside of the victim’s network,” explains Dmitry Bestuzhev, senior director of CTI at BlackBerry. “It’s not like they were working minute to minute, hour to hour. It’s doing something and then just waiting for a week, and then doing something again.”
Who Is Cuba?
Since its discovery in 2019, Cuba has been one of the world’s most profitable ransomware outfits. According to data from CISA, as of August 2022 the group compromised 101 entities – 65 in the US and 36 elsewhere, demanding a total of $145 million in ransom payments and receiving around $60 million.
The group uses Cuban Revolution references and iconography in its code and its leak site, but ample evidence suggests its members are, in fact, of Russian origin. Prior research revealed a translation mistake in a ransom note suggesting Russian language origins, as well as a 404 error on the group’s website that, translated from Russian, read, “Oh, this is 404! blablabla 404 blablabla.”
BlackBerry’s investigation uncovered further hints of poor Russian translations, as well as a feature for disabling the malware on any host computer operating in Russian or with a Russian keyboard.
To defend against the Russian Cuba, Bestuzhev recommends that organizations place an emphasis on detection technologies, prompt and perhaps automated patching, and investing in advanced threat intelligence.
And if all of that fails, then quick and decisive action must be taken because “if there is a delay – because of the weekend or a lack of resources – it may lead to suffering huge losses,” he warns.