Cuba Ransomware Group Targets US Critical Infrastructure
Introduction
In June, the Russian ransomware group known as Cuba attempted to carry out a cyberattack on a US critical infrastructure provider. Despite its use of multiple vulnerability exploits, malware programs, and evasion techniques, the attack was ultimately unsuccessful. Cuba is a financially motivated threat actor that has primarily targeted US organizations for high-value ransomware attacks. In its latest campaign, discovered by BlackBerry, the group targeted an American critical infrastructure provider and a systems integrator in Latin America.
Cuba’s Attack Tactics
The initial signs of Cuba’s attack were identified in May when an administrator-level login occurred in the target’s network using Remote Desktop Protocol (RDP). However, there were no indications of prior failed login attempts or exploitation of vulnerabilities. It remains unclear how the attacker obtained valid credentials, but researchers from BlackBerry have previously noted that Cuba has used initial access brokers to obtain credentials in the past.
Once inside the network, Cuba deployed its custom downloader called BUGHATCH, which establishes a connection to a command-and-control server and downloads attacker payloads. In this particular campaign, Cuba used Metasploit, an off-the-shelf software program, to solidify its presence within the target environment. The group also exploited the 3-year-old vulnerability known as Zerologon, which allowed them to escalate privileges and gain administrator access. Additionally, they targeted a high severity vulnerability in the Veeam backup software to obtain credentials stored in its configuration file.
Cuba’s second proprietary malware, BURNTCIGAR, is particularly notable as it carries out Bring Your Own Vulnerable Driver (BYOVD) attacks. This involves exploiting the communication channels between drivers and terminating kernel-level processes en masse. In this attack, BURNTCIGAR eliminated over 200 processes associated with anti-malware and endpoint protection.
To cover their tracks, Cuba operated slowly and deliberately over a two-month period within the target’s network. By spacing out their actions and minimizing suspicious activities, they aimed to maintain a low profile and avoid detection. This deliberate approach ensured that their actions did not raise immediate suspicion.
Who is Cuba?
Since its discovery in 2019, Cuba has gained notoriety as one of the world’s most profitable ransomware groups. According to data from the Cybersecurity and Infrastructure Security Agency (CISA), as of August 2022, Cuba had compromised 101 entities, with 65 of them located in the US and 36 elsewhere. The group has demanded a total of $145 million in ransom payments, receiving approximately $60 million.
While Cuba uses Cuban Revolution references and iconography in its code and leak site, there is ample evidence suggesting that its members are of Russian origin. Previous research has highlighted translation errors in ransom notes that indicate Russian language origins. Additionally, a 404 error message on the group’s website, when translated from Russian, reads, “Oh, this is 404! blablabla 404 blablabla.” Further investigation by BlackBerry revealed poor Russian translations and even a feature that disables the malware on computers operating in Russian or with a Russian keyboard.
Defending Against Cuba Ransomware Group
To defend against the Cuban ransomware group, organizations should prioritize the following measures:
Detection Technologies
Invest in robust detection technologies that can identify and alert to unusual network activities and potential breaches. Employing advanced threat intelligence solutions can also enhance the organization’s ability to detect and respond to evolving threats.
Prompt and Automated Patching
Keep systems and software up to date with the latest patches and security updates. Promptly applying patches can close vulnerabilities that threat actors like Cuba may exploit.
Invest in Advanced Threat Intelligence
Having access to accurate and timely threat intelligence is crucial for understanding emerging threats and developing effective defense strategies. Organizations should consider partnering with reputable cybersecurity firms and subscribing to threat intelligence services.
Quick and Decisive Action
In the event of a cyberattack, it is crucial to respond quickly and decisively. Any delays, whether due to resource constraints or other factors, can result in significant losses. Organizations should have well-defined incident response plans in place to minimize the impact of an attack and swiftly eradicate the threat.
Conclusion
The Cuba ransomware group’s recent attack on a US critical infrastructure provider emphasizes the ongoing threat posed by financially motivated threat actors. Despite the failed attempt, organizations must remain vigilant and take proactive measures to protect their networks and data. Investing in robust cybersecurity defenses, prompt patching, and advanced threat intelligence are essential steps towards mitigating such threats. Furthermore, organizations should prioritize rapid response and decisive action in the event of an attack to limit potential losses and minimize the impact on critical operations.
<< photo by Hardeep Singh >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Rise of Grip Security: $41 Million Series B Financing Secured
- The Rising Threat: Chinese APT Launches Supply Chain Attack Targeting Hong Kong
- Hong Kong Faces Cybersecurity Crisis as Malware Targets Local Organizations
- CISA Sheds Light on Ongoing Adobe ColdFusion Vulnerability Exploitation
- Ivanti Takes Swift Action to Fix Critical API Authentication Bypass Vulnerability
- Investigating the Mysterious Faces Behind CypherRAT and CraxsRAT Malware
- “Balancing Cybersecurity and Investor Protection: The SEC’s Call for Timely Disclosure”
- Decoding Ransomware: Unveiling the True Complexity of Cyber Extortion
