The Cuba ransomware group was observed using the first reported use of an exploit for a high-severity Veeam bug.
In a blog post Aug. 17, BlackBerry Threat Research reported that they investigated a campaign by the Cuba group in June that led to attacks on an organizations within the critical infrastructure sector of the United States and an IT integrator in Latin America.
The Veeam vulnerability — CVE-2023-27532 — was a high-severity bug with a 7.5 CVSS. NIST reported that the Veeam Backup and Replication component allows encrypted credentials stored in the configuration database to be obtained, which may lead to gaining access to the backup infrastructure hosts.
Based on the strings analysis of the code, the BlackBerry researchers believe the Cuba threat group is of Russian origin. That theory was further strengthened because the ransomware automatically terminates on hosts set to the Russian language, or on those that have the Russian keyboard layout present, reported the researchers.
Cuba ransomware — also known as COLDDRAW — first appeared on the threat landscape in 2019 and has built up a relatively small, but carefully selected list of victims over the years, said BlackBerry researchers. It’s also known as Fidel ransomware because of a characteristic marker placed at the beginning of all encrypted files. This file marker gets used as an indicator to both the ransomware and its decoder that the file has been encrypted.
Despite its name and the Cuban nationalistic styling on its leak site, it’s unlikely the Cuba threat group unlikely has any connection or affiliation with the Republic of Cuba. It was previously linked to a Russian-speaking threat actor by researchers at Profero because of some linguistic mistranslation details they uncovered, as well as the discovery of a 404 webpage containing Russian text on the threat actor’s own leak site.
The BlackBerry researchers also pointed out that earlier this year an updated joint advisory issued by U.S. law enforcement said that as of August 2022, the Cuba ransomware group was believed to have compromised 101 entities, including 65 in the United States and 36 outside the United States. In that time, it has demanded USD $145 million in ransom payments, and received up to USD $60 million.
It’s well-known that ransomware threat actors often disable recovery capability during an attack, thereby providing extra leverage during ransom negotiations, said Andre van der Walt, director of threat intelligence at Ontinue. This case highlights the need for organizations to identify critical services in their environment, identify vulnerabilities and regularly apply patches or other mitigation measures where appropriate, said van der Walt.
“Backup and recovery services would certainly fall within the definition of critical services,” said van der Walt. “The fact that the Cuba threat group has been able to take advantage of this critical vulnerability, after exploits have been freely available since March this year, speaks volumes about the state of vulnerability management in general.”
This Russia-affiliated threat group is clearly sophisticated, employing 29 different MITRE ATT&CK techniques as they navigate the kill chain from initial access to defense evasion and lateral movement, explained Phil Neray, vice president of Cyber Defense Strategy at CardinalOps. Neray said we are increasingly seeing encrypted backups as high-value targets, whether it's a Veeam backup service or other backup services such as AWS S3 buckets.
“Organizations should protect themselves by implementing granular monitoring with detections that cover all of these adversary techniques and look for unusual or unauthorized access to backups,” said Neray.
