A known ransomware gang is exploiting a high-severity vulnerability in enterprise backup solutions to deploy malware to their targets and steal login credentials.
This is according to a new report from BlackBerry’s Threat Research and Intelligence team, which claims that the hacking campaign started in early June this year. The organization behind it, known as Cuba, has been alleged by some cybersecurity experts to have ties to the Russian government.
Apparently, Cuba excludes endpoints with the Russian keyboard layout from its attacks and has a number of Russian 404 pages on its infrastructure. Furthermore, it targets (almost exclusively) organizations in the Western world, leading researchers to conclude that the attackers are likely state-aligned.
In this campaign, the group targeted “critical infrastructure organizations” in the United States, as well as IT firms in Latin America, although no names were mentioned.
To target these firms, Cuba abused CVE-2023-27532, a high-severity flaw discovered in Veeam Backup & Replication (VBR) tools. By using previously obtained administrator credentials, the attackers use RDP to infiltrate the target network and drop their custom downloader BugHatch.
A couple of additional steps are required before the network is fully compromised, though, including the deployment of a vulnerable driver to turn off endpoint protection tools.
Given that the Veeam flaw has been around for a few months now, as well as the fact that a proof-of-concept is already available on the internet, deploying a patch is pivotal at this moment, warns BleepingComputer.
The publication added that Cuba also exploits CVE-2020-1472 (“Zerologon”), a vulnerability in Microsoft’s NetLogon protocol, which gives the attackers privilege escalation against AD domain controllers.
Last time we heard from Cuba was in mid-April last year, when cybersecurity researchers from Mandiant observed the group abusing flaws in Microsoft Exchange to compromise corporate endpoints, harvest data, and deploy the COLDDRAW malware.
The experts’ report stated the group used ProxyShell and ProxyLogon vulnerabilities at least since August 2021 to plant various web shells, Remote Access Trojans (RAT), and backdoors on compromised systems.