Cuba Ransomware Exploits Veeam VulnerabilityThe Attack Accesses an Exposed API on a Component of the Veeam Application
The Cuba ransomware group is exploiting a bug in data backup software exposed in March, warn security researchers.
The Russian-speaking gang is deploying a combination of new and old tools, including a high-severity vulnerability in a backup application made by software developer Veeam, said BlackBerry.
The vulnerability, tracked as CVE-2023-27532, exposes encrypted credentials stored in Veeam Backup and Replication. Its exploitation could lead to unauthorized access to backup infrastructure hosts. BlackBerry said the Cuba group in June attacked a critical infrastructure organization in the United States and an IT integrator in Latin America.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in a May alert warned the healthcare sector of a rise in cyberattacks exploiting the Veeam flaw.
The exploit works by accessing an exposed API on a component of the Veeam application -
Veeam.Backup.Service.exe, which exists on any version of the Veeam Backup and Replication software prior to version 11a and version 12.
The researchers said the group, which has no apparent relation to the island nation of Cuba, recently attacked a U.S.-based organization, revealing a complete set of tactics, techniques and procedures, many of which overlap with those from with previous Cuba ransomware incidents.
Cuba's toolkit includes a custom downloader known as Bughatch, a utility dubbed BurntCigar that terminates processes such as anti-malware endpoint solutions, and the Metasploit and Cobalt Strike frameworks, along with numerous "living off the land" binaries.
Cuba ransomware first appeared on the threat landscape in 2019. It is known for actively targeting critical infrastructure sectors including financial institutions, government buildings, the healthcare sector, manufacturing and information technology.
The group is known for stealing data before leaving systems maliciously encrypted and then leaking the data to try and force recalcitrant victims to pay. Its name comes from the
.cuba extension it adds to encrypted files and its predilection for using Cuban revolutionary kitsch artwork.