Fraud Management & Cybercrime , Ransomware

Cuba Ransomware Exploits Veeam Vulnerability

The Attack Accesses an Exposed API on a Component of the Veeam Application
Cuba Ransomware Exploits Veeam Vulnerability
Revolutionary kitsch art in Las Tunas, Cuba (Image: Shutterstock)

The Cuba ransomware group is exploiting a bug in data backup software exposed in March, warn security researchers.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

The Russian-speaking gang is deploying a combination of new and old tools, including a high-severity vulnerability in a backup application made by software developer Veeam, said BlackBerry.

The vulnerability, tracked as CVE-2023-27532, exposes encrypted credentials stored in Veeam Backup and Replication. Its exploitation could lead to unauthorized access to backup infrastructure hosts. BlackBerry said the Cuba group in June attacked a critical infrastructure organization in the United States and an IT integrator in Latin America.

The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in a May alert warned the healthcare sector of a rise in cyberattacks exploiting the Veeam flaw.

The exploit works by accessing an exposed API on a component of the Veeam application - Veeam.Backup.Service.exe, which exists on any version of the Veeam Backup and Replication software prior to version 11a and version 12.

The researchers said the group, which has no apparent relation to the island nation of Cuba, recently attacked a U.S.-based organization, revealing a complete set of tactics, techniques and procedures, many of which overlap with those from with previous Cuba ransomware incidents.

Cuba's toolkit includes a custom downloader known as Bughatch, a utility dubbed BurntCigar that terminates processes such as anti-malware endpoint solutions, and the Metasploit and Cobalt Strike frameworks, along with numerous "living off the land" binaries.

Cuba ransomware first appeared on the threat landscape in 2019. It is known for actively targeting critical infrastructure sectors including financial institutions, government buildings, the healthcare sector, manufacturing and information technology.

The group is known for stealing data before leaving systems maliciously encrypted and then leaking the data to try and force recalcitrant victims to pay. Its name comes from the .cuba extension it adds to encrypted files and its predilection for using Cuban revolutionary kitsch artwork.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.