A known ransomware gang is exploiting a high-severity vulnerability in enterprise backup solutions to deploy malware to their targets and steal login credentials.
This is according to a new report from BlackBerry’s Threat Research and Intelligence team, which claims that the hacking campaign started in early June this year. The organization behind it, known as Cuba, has been alleged by some cybersecurity experts to have ties to the Russian government.
Apparently, Cuba excludes endpoints with the Russian keyboard layout from its attacks and has a number of Russian 404 pages on its infrastructure. Furthermore, it targets (almost exclusively) organizations in the Western world, leading researchers to conclude that the attackers are likely state-aligned.
In this campaign, the group targeted “critical infrastructure organizations” in the United States, as well as IT firms in Latin America, although no names were mentioned.
To target these firms, Cuba abused CVE-2023-27532, a high-severity flaw discovered in Veeam Backup & Replication (VBR) tools. By using previously obtained administrator credentials, the attackers use RDP to infiltrate the target network and drop their custom downloader BugHatch.
A couple of additional steps are required before the network is fully compromised, though, including the deployment of a vulnerable driver to turn off endpoint protection tools.
Given that the Veeam flaw has been around for a few months now, as well as the fact that a proof-of-concept is already available on the internet, deploying a patch is pivotal at this moment, warns BleepingComputer.
The publication added that Cuba also exploits CVE-2020-1472 ("Zerologon"), a vulnerability in Microsoft's NetLogon protocol, which gives the attackers privilege escalation against AD domain controllers.
Last time we heard from Cuba was in mid-April last year, when cybersecurity researchers from Mandiant observed the group abusing flaws in Microsoft Exchange to compromise corporate endpoints, harvest data, and deploy the COLDDRAW malware.
The experts’ report stated the group used ProxyShell and ProxyLogon vulnerabilities at least since August 2021 to plant various web shells, Remote Access Trojans (RAT), and backdoors on compromised systems.
- Check out the best backup tools around
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.