Tag Archive for: Cuba

Decoding Cuba Ransomware: An opportunity for next-gen data governance

/in


BlackBerry’s recent post on the Cuba ransomware group paints a vivid picture of the cybersecurity scene, replete with challenges, yet ripe with opportunities. While threat actors such as Cuba demonstrate remarkable adaptability, they unwittingly underscore the indispensable need for robust data governance.

Modern cyber threat actors, as evident from the operations of the Cuba ransomware group, have refined their strategies into an art form that seamlessly melds the old with the new, the tried with the avant-garde. When dissecting the potency of tools like BUGHATCH and BURNTCIGAR in tandem with their more contemporary brethren, we see the duality that characterizes contemporary cyberattacks.

The synthesis of established techniques with nascent tactics is not haphazard: it results from meticulous orchestration. These hackers create a dangerous combination by taking advantage of known software problems, like the one in Veeam. They seek to cripple organizations both in terms of data access and operational functionality. The outcome? Enterprises caught off-guard, struggling to retrieve their data, and grappling with downtime, often find themselves in a cyber quagmire, battling both loss of trust and financial repercussions.

But the narrative doesn’t end there. With every move the threat actors make, they also unintentionally expose facets of their operational psyche. For instance, the decision to circumvent Russian-configured systems isn’t just a mere tactical choice. It’s a window into their risk calculus, possibly hinting at geographical affiliations or a deliberate bid to avoid specific geopolitical entanglements. Similarly, linguistic missteps aren’t just errors, they’re breadcrumbs that when pieced together can lead us to just what these threat actors are trying to do.

For astute organizations, these are more than just isolated incidents: they’re invaluable insights, fragments of a larger puzzle. By harnessing the power of digital forensics, companies can trace the lineage of an attack, dissect its trajectory, understand its origin, and predict potential future vectors. Coupled with robust threat intelligence, this twin-pronged strategy transforms seemingly innocuous clues into…

Source…

Cuba ransomware gang looking for unpatched Veeam installations: Report

/in


The Cuba ransomware gang has tweaked its attack strategy to go after IT environments that haven’t patched a recently discovered vulnerability in Veeam Software’s backup solutions.

Usually the gang exploits the three-year old Windows Server Netlogon vulnerability (CVE-2020-1472) known as Zerologon, BlackBerry said in a report Thursday. However, an analysis of a series of attacks in June, including a critical infrastructure organization in the United States and an IT integrator in Latin America, shows the gang is now also targeting the Veeam CVE-2023-27532 vulnerability.

Other researchers call the strain of ransomware used by this group Colddraw or Fidel. It first appeared in 2019 and, according to BlackBerry, has built up a relatively small but carefully selected list of victims in the years since. As of August 2022, the group had compromised 101 organizations, 65 of them in the United States.

Based on the strings analysis of the code used in the most recent campaign, BlackBerry found indications that the developer behind Cuba ransomware is Russian-speaking. That theory is further strengthened, the report says, by the fact the ransomware automatically terminates its own execution on hosts that are set to the Russian language, or on those that have the Russian keyboard layout present.

IT defenders should also note that, in this particular campaign, the Cuba gang somehow got hold of an organization’s administrator credentials. The attackers logged in directly through Windows Remote Desktop Protocol (RDP). There was no evidence of previous invalid login attempts, or evidence of techniques such as brute-forcing or exploitation of vulnerabilities. This means, BlackBerry concluded, that the attacker likely obtained the valid credentials via some other method.

Cuba’s toolkit consists of various custom and off-the-shelf parts. These include what BlackBerry calls BugHatch, a lightweight custom downloader likely developed by the Cuba ransomware members, as it has only been seen operated by them in the wild. It establishes a connection to a command-and-control server and downloads a payload of the attacker’s choosing, typically small PE files or PowerShell scripts. BugHatch can…

Source…

Philadelphia Inquirer attack admitted by Cuba ransomware

/in



BleepingComputer reports that The Philadelphia Inquirer was claimed to be compromised by the Cuba ransomware operation in a cyberattack this month, which resulted in the publication’s most significant …

Source…

FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations

/in


The FBI and the U.S. Infrastructure and Cyber Security Agency (CISA) report that as of August 2022, Cuba ransomware operators have received more than $60 million in ransom from their victims (initially, the hackers requested more than $145 million in ransoms) and have attacked more than 100 organizations around the world.

The new security bulletin is a direct continuation of a similar document from a year ago. Let me remind you that in December 2021, it was reported that the Cuba ransomware brought its authors about $43.9 million, compromising at least 49 organizations.

We also wrote that Cuba Ransomware Variant Involves Double-Extortion Scheme.

The FBI also said that the $43.9 million was just actual payments to the victims, but the hackers originally demanded more than $74 million from the victims, but some refused to pay.

Since the newsletter was released in December 2021, the number of U.S. organizations compromised by Cuba ransomware has doubled, and ransoms demanded and paid are on the rise. The FBI has observed that Cuba continues to attack US organizations in the following five critical infrastructure sectors, including financial and public sector, healthcare, manufacturing, and IT.experts write.

The FBI and CISA added that in the past year, it became known that ransomware has been improving its tactics and methods, and now they are associated with the RomCom remote access trojan (RAT) and Industrial Spy ransomware.

Law enforcement officers also said at the time that they tracked Cuba attacks on systems infected with the Hancitor malware, which uses phishing emails, exploits vulnerabilities in Microsoft Exchange, compromised credentials, or RDP brute force to access vulnerable Windows machines. Once Hancitor is infected, access to such a system is rented out to other hackers using the Malware-as-a-Service model.

Interestingly, the statistics of the ID-Ransomware platform do not allow to call the Cuba ransomware particularly active, and this only proves that even such a ransomware can have a huge impact on victims and bring profit to its operators.

FBI and CUBA ransomware

Source…