Cuba ransomware uses Veeam exploit against critical U.S. organizations
Bill Toulas
- August 20, 2023
- 10:15 AM
- 1
The Cuba ransomware gang was observed in attacks targeting critical infrastructure organizations in the United States and IT firms in Latin America, using a combination of old and new tools.
- BlackBerry's Threat Research and Intelligence team, which spotted the latest campaign in early June 2023, reports that Cuba now leverages CVE-2023-27532 to steal credentials from configuration files.
- The particular flaw impacts Veeam Backup & Replication (VBR) products, and an exploit for it has been available since March 2023.
Cuba attack details
Next, Cuba's signature custom downloader 'BugHatch' establishes communication with the C2 server and downloads DLL files or executes commands.
An initial foothold on the target environment is achieved through a Metasploit DNS stager that decrypts and runs shellcode directly in memory.
Apart from the Veeam flaw that's relatively recent, Cuba also exploits CVE-2020-1472 ("Zerologon"), a vulnerability in Microsoft's NetLogon protocol, which gives them privilege escalation against AD domain controllers.
In the post-exploitation phase, Cuba was observed using Cobalt Strike beacons and various "lolbins."
Cuba still very active
BlackBerry underlines the clear financial motivation of the Cuba ransomware gang and mentions that the threat group is likely Russian, something that has been hypothesized by other cyber-intelligence reports in the past.
This assumption is based on the exclusion of computers that use a Russian keyboard layout from infections, Russian 404 pages on parts of its infrastructure, linguistic clues, and the group's Western-focused targeting.
In conclusion, Cuba ransomware remains an active threat approximately four years into its existence, which isn't common in ransomware.
The inclusion of CVE-2023-27532 in Cuba's targeting scope makes the prompt installation of Veeam security updates extremely important and once again highlights the risk of delaying updates when publicly available PoC (proof-of-concept) exploits are available.
___________________________________________________________________________________
-
Hackers use VPN provider's code certificate to sign malware
The China-aligned APT (advanced persistent threat) group known as 'Bronze Starlight' was seen targeting the Southeast Asian gambling industry with malware signed using a valid certificate used by the Ivacy VPN provider.
- AUGUST 19, 2023
- 10:07 AM
- 0
-
Rust devs push back as Serde project ships precompiled binaries
Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary. This has generated a fair amount of concern among some developers who highlight the future legal and technical issues this may pose, along with a potential for supply chain attacks.
- AUGUST 19, 2023
- 09:55 AM
- 0
-
The Week in Ransomware - August 18th 2023 - LockBit on Thin Ice
While there was quite a bit of ransomware news this week, the highlighted story was the release of Jon DiMaggio's third article in the Ransomware Diaries series, with the focus of this article on the LockBit ransomware operation.
- AUGUST 18, 2023
- 05:07 PM
- 0
-
WinRAR flaw lets hackers run programs when you open RAR archives
A high-severity vulnerability has been fixed in WinRAR, the popular file archiver utility for Windows used by millions, that can execute commands on a computer simply by opening an archive.
- AUGUST 18, 2023
- 01:20 PM
- 3
-
Hotmail email delivery fails after Microsoft misconfigures DNS
Hotmail users worldwide have problems sending emails, with messages flagged as spam or not delivered after Microsoft misconfigured the domain's DNS SPF record.
- AUGUST 18, 2023
- 11:44 AM
- 1
-
Interpol arrests 14 suspected cybercriminals for stealing $40 million
An international law enforcement operation led by Interpol has led to the arrest of 14 suspected cybercriminals in an operation codenamed 'Africa Cyber Surge II,' launched in April 2023.
- AUGUST 18, 2023
- 10:39 AM
- 0
-
TP-Link smart bulbs can let hackers steal your WiFi password
Researchers from Italy and the UK have discovered four vulnerabilities in the TP-Link Tapo L530E smart bulb and TP-Link's Tapo app, which could allow attackers to steal their target's WiFi password.
- AUGUST 21, 2023
- 03:55 PM
- 1
-
Sneaky Amazon Google ad leads to Microsoft support scam
A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser.
- AUGUST 21, 2023
- 01:52 PM
- 6
-
Ongoing Duo outage causes Azure Auth authentication errors
Cisco-owned multi-factor authentication (MFA) provider Duo Security is investigating an ongoing outage that has been causing authentication failures and errors starting three hours ago.
- AUGUST 21, 2023
- 12:26 PM
- 0
-
Ivanti warns of new actively exploited MobileIron zero-day bug
US-based IT software company Ivanti warned customers today that a critical Sentry API authentication bypass vulnerability is being exploited in the wild.
- AUGUST 21, 2023
- 11:28 AM
- 0
-
Japanese watchmaker Seiko breached by BlackCat ransomware gang
The BlackCat/ALPHV ransomware gang has added Seiko to its extortion site, claiming responsibility for a cyberattack disclosed by the Japanese firm earlier this month.
- AUGUST 21, 2023
- 10:40 AM
- 0
-
Add a second monitor to any laptop with Desklab, on sale for $290
Better still, the Desklab Portable Touchscreen Monitor isn't just convenient, it's cost-effective too. That's because this week you can pick one up at a great price — Just $289.99.
- AUGUST 21, 2023
- 07:19 AM
- 0
-
Hands on with Windows 11's 'never combine' taskbar feature
In its upcoming 23H2 release slated for fall, one of the standout features that has caught the eye of many is the 'never combine mode' for the taskbar.
- AUGUST 20, 2023
- 05:31 PM
- 10
-
Google Chrome to warn when installed extensions are malware
Google is testing a new feature in the Chrome browser that will warn users when an installed extension has been removed from the Chrome Web Store, usually indicative of it being malware.
- AUGUST 20, 2023
- 01:26 PM
- 3
No comments:
Post a Comment