Insights, news, education and announcements from PolySwarm

Cuba Ransomware Used Veeam Vulnerability (CVE-2023-27532)

Written by The Hivemind | Aug 25, 2023 5:54:17 PM

Verticals Targeted: Critical Infrastructure, Information Technology

Executive Summary

Cuba ransomware was observed using the Veeam vulnerability (CVE-2023-27532) in June to target critical infrastructure and IT entities in the US and Latin America.

Key Takeaways

  • Cuba ransomware was recently observed using the Veeam vulnerability (CVE-2023-27532) to target critical infrastructure and IT entities in the US and Latin America.
  • This is the first observed use of an exploit for CVE-2023-27532 by the Cuba ransomware group.
  • CVE-2023-27532 is a vulnerability in the Veeam Backup and Replication component that allows access to encrypted credentials stored in the configuration database.

Background

Cuba ransomware was recently observed using the Veeam vulnerability (CVE-2023-27532) to target critical infrastructure and IT entities in the US and Latin America. The campaign took place during June 2023. BlackBerry reported on this activity. BlackBerry researchers stated this is the first observed use of an exploit for CVE-2023-27532 by the Cuba ransomware group. According to BlackBerry, the initial access vector appeared to be via compromised admin credentials over RDP.

What is Cuba Ransomware?

Cuba ransomware, also known as COLDDRAW or Fidel, has been active in the wild since at least 2019. Cuba ransomware has not been definitively attributed to a particular threat actor, but industry researchers have noted the high likelihood of it being perpetrated by threat actors who speak Russian due to Russian language strings in the code. As of late 2022, Cuba had already claimed over 100 victims. The group has continued to be active throughout 2023.

Cuba ransomware group’s TTPs have evolved over time. These include but are not limited to the use of the custom downloader BUGHATCH, use of the antimalware killer BURNTCIGAR, Metasploit, Wedgecut, Cobalt Strike, LoLBins, CVE-2020-1472, CVE-2023-27532, credentials reuse, use of initial access brokers, and Bring Your Own Vulnerable Driver (BYOVD) techniques.

The threat actors behind Cuba typically employ double extortion tactics, demanding a ransom of the victim and threatening to leak or sell stolen files if the ransom is not paid. Cuba’s leak site is known sometimes to disappear and then reappear when a new victim is compromised.

What is CVE-2023-27532?

CVE-2023-27532 is a vulnerability in the Veeam Backup and Replication component that allows access to encrypted credentials stored in the configuration database. Exploiting this vulnerability can allow threat actors to obtain access to backup infrastructure hosts.

IOCs

PolySwarm has multiple samples associated with this campaign. 

 

58ba30052d249805caae0107a0e2a5a3cb85f3000ba5479fafb7767e2a5a78f3

3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0

9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c

4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1

075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85

bd93d88cb70f1e33ff83de4d084bb2b247d0b2a9cec61ae45745f2da85ca82d2

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f Cuba

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 
View full post