Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cuba Ransomware. Show all posts

Cuba Ransomware Targets U.S. Organizations via Veeam Exploit

The notorious Cuba ransomware group has leveraged a vulnerability in the popular Veeam software to launch attacks on critical organizations within the United States. This breach underscores the escalating sophistication of cybercriminals and the pressing need for robust cybersecurity measures.

Recent reports from cybersecurity experts reveal that the Cuba ransomware group has exploited a high-severity Veeam bug to compromise crucial U.S. institutions. This breach is particularly alarming due to the nature of the targeted organizations, which include entities operating within critical sectors such as healthcare, finance, and infrastructure.

Veeam, a widely used software suite for data protection, had previously fallen victim to an exploitable weakness. The Cuba ransomware group, known for its extensive criminal activities, capitalized on this vulnerability to infiltrate systems, encrypt data and demand hefty ransoms in return for decryption keys. The extent of the damage caused by these attacks is still under assessment.

As it demonstrates the shifting strategies of cybercriminals, cybersecurity researchers have called attention to the significance of this occurrence. Hackers can now more easily breach secure networks by taking advantage of a commonly used piece of software, putting the security of sensitive data and vital infrastructure at risk. This event highlights how crucial it is for businesses to continue being watchful and aggressive in protecting their digital assets.

Industry experts emphasize the need to take preemptive actions in reducing such hazards. To quickly fix vulnerabilities, regular software upgrades and security patches are crucial. Businesses must also spend money on thorough cybersecurity training to give their employees the tools they need to spot and avoid attacks.

The Veeam vulnerability used by the Cuban ransomware gang serves as further evidence of the value of international cooperation in the fight against cybercrime. As cyber dangers cross-national and international borders, it is crucial for governments, law enforcement organizations, and cybersecurity companies to work together cohesively to track down cybercriminals and take down their networks.

Cuban Ransomware Gang Hacked Devices via Microsoft Drivers

Multiple accounts which signed malicious drivers for the Cuba ransomware organization to deactivate endpoint security solutions have been suspended by Microsoft from its hardware developer program.

Cuba attempted to disable vulnerability scanning programs and alter settings using these cryptographically signed 'drivers' after infiltrating a target's systems. The intention of the activity was to go unnoticed, however, monitoring software from the security company Sophos alerted to it.

Additionally, In October, Microsoft received information from the Google-owned Mandiant, SentinelOne, and Sophos that many cybercrime groups were utilizing malicious third-party kernel-mode hardware drivers which were signed by Microsoft to transmit ransomware. 

According to Microsoft's counsel, "In these attacks, the attacker had already gained administrative rights on compromised systems prior to using the drivers, the company's investigation has revealed that several developer's accounts for the Microsoft Partner Center had been engaged in submitting malicious drivers to acquire a Microsoft signature."

The Cuba ransomware group employed the driver as part of its post-exploitation operations together with a malicious loader application, which was most likely used to end the processes of security products before the ransomware was activated. Mandiant named this malicious utility BURNTCIGAR back in February after it had previously been seen. It was installed using a faulty driver that was connected to the Avast antivirus software at the time.

Sophos' Christopher Budd, director of threat research, stated, "We've discovered a total of 10 malicious drivers, all of which are variations of the original discovery. Starting at least in July of last year, these drivers exhibit a concentrated effort to advance through the trust chain. It is tough to write a malicious driver from scratch and get it approved by a reputable body. Nevertheless, it's highly efficient because the driver can virtually complete any task without hesitation."

Since Windows 10, Microsoft has demanded that kernel-mode drivers be signed by the Windows Hardware Developer Program. Researchers at Sophos Andreas Klopsch and Andrew Brandt claim that the signature denotes trust. In 2022, the use of reputable third-party device drivers has increased for the purpose of killing security tools.

According to a U.S. government alert, the Cuba ransomware group has profited an additional $60 million through operations against 100 companies worldwide. The report warned that the ransomware organization, active since 2019, continues to target American entities with critical infrastructure.


FBI & CISA Alert: Ransomware Gang Attacked Over 100 Organization and Made Over $60 Million


CISA and FBI says ransomware attacks on the rise

A joint Cybersecurity Advisory (CSA) #StopRansomware: Cuba Ransomware from CISA and FBI warns that a ransomware gang has attacked more than 100 organizations across the world and received more than $60 million in ransom payments. The latest CSA alerts that there's a surge in ransom demands and organizations Cybersecurity Advisory attacked by the Cuba ransomware group. 

As per the warning, Cuba ransomware attacks target healthcare, critical infrastructure, financial services, government services, technology, etc. The CSA says that despite the name, the gang doesn't have any association with the country of Cuba. The FBI alerts that the ransomware group has attacked over 100 targets across the world and have asked more than $145 Million in ransom payments, getting $60 million in extortion payments. 

Key updates from the FBI and CISA include:

  • FBI has identified a sharp increase in the both the number of compromised U.S. entities and the ransom amounts demanded by Cuba ransomware actors.
  • Since spring 2022, Cuba ransomware actors have expanded their TTPs.
  • Third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.

The group indulges in double extortion attacks, not only encrypting data and demanding ransom payments, but also making threats to leak data stolen from the target, if he fails to pay the ransom (demanded in Bitcoins). 

New Ransomware Techniques used by Threat Actors 

This is the second CSA warning from CISA and FBI about Cuba ransomware, the first one came in December 2021. The new warning comes due to a sudden increase in the number of cyberattacks and also because threat actors have increased to make the attacks more sophisticated so that it can't be detected and difficult to stop. 

These techniques include abusing a vulnerability in Windows Common Log File System (CLFS) driver (CVE-2022-24521) to retrieve system tokens and enable privileges while deploying a PowerShell script to find out service accounts for getting better access to high-level system controls. 

Cuba Ransomware behind attacks

Cuba ransomware attacks were also found attacking Zerologon, a flaw in Microsoft Windows authentication protocol Netlogon (CVE-2020-1472) to get domain administrative rights. Zerologon was found in September 2020 and was termed as "unacceptable risk" during that time, however, after two years, threat actors are still able to abuse it. 

The techniques that Cuba ransomware uses to get digital access to the victim's system include exploiting known flaws in commercial software, phishing campaigns, exploiting stolen user data and passwords, and abusing genuine Remote Desktop Protocol (RDP) applications. 

Once the threat actor gains access, he installs Hancitor, a malware payload that lets him easily get back access and launch operations on exploited networks, which in the end is used to drop and launch the ransomware payload. 

"FBI and CISA encourage network defenders to review the joint CSA and to apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response," says the CSA.