BlackBerry Uncovers New Tools Used by Cuba Ransomware Group
BlackBerry has recently revealed the discovery of new tools used by the Cuba ransomware threat group. The group, which has been operating for four years, has shown no signs of slowing down and has been responsible for multiple high-profile attacks in various industries.
The BlackBerry Threat Research and Intelligence team investigated a campaign conducted by the Cuba threat group in June. This campaign targeted an organization within the critical infrastructure sector in the United States, as well as an IT integrator in Latin America. The threat group, believed to have Russian origins, used a set of malicious tools that overlapped with their previous campaigns and introduced new ones, including the first observed use of an exploit for the Veeam vulnerability CVE-2023-27532.
BlackBerry privately shared this information with relevant authorities to enhance security and resilience across organizations worldwide. The findings and technical details of these latest attacks, as well as the evolution in tactics, techniques, and procedures (TTPs) utilized by the Cuba threat group, are documented in a comprehensive report.
Tactic and technique information according to MITRE ATT&CK® is provided, including initial access, execution, defense evasion, privilege escalation, discovery, lateral movement, credential access, and command-and-control.
The attack analyzed by BlackBerry involved a credentials reuse scheme, with evidence of a successful Administrator-level login via Remote Desktop Protocol (RDP) as the initial access point. The attacker likely obtained valid credentials through other clandestine means prior to the attack.
Cuba’s toolkit consists of custom and off-the-shelf parts that align with their previously seen TTPs. The deployment and execution of BUGHATCH, a lightweight custom downloader developed exclusively by the Cuba ransomware group, is the first stage. Metasploit, Cobalt Strike frameworks, Living-off-the-Land Binaries (LOLBINS), and several freely available Proof-of-Concept (PoC) code exploits were also utilized.
The Cuba ransomware group, also known as COLDDRAW ransomware, appeared on the threat landscape in 2019 and has selectively targeted victims over the years. It has no apparent connection to the Republic of Cuba, despite its misleading name. Researchers have linked the group to a Russian-speaking threat actor, and the code used in their campaigns suggests that the developer behind the ransomware is Russian-speaking as well.
Cuba ransomware follows the double-extortion approach, demanding ransom payments from victims. According to a joint advisory issued by U.S. law enforcement, the group is believed to have compromised 101 entities, demanding USD $145 million in ransom and receiving up to USD $60 million.
Throughout the years, Cuba has consistently used a core set of TTPs that include LOLBINs, exploits, commodity and custom malware, and popular legitimate pen-testing frameworks such as Cobalt Strike and Metasploit. They have occasionally used the Industrial Spy marketplace as a leak site.
BlackBerry’s analysis of the attack discovered defense evasion techniques, including attempts to uninstall endpoint protection, group policy modification, and the use of the Bring Your Own Vulnerable Driver (BYOVD) technique. They also observed the use of BURNTCIGAR, a utility that terminates processes on a kernel level, exploiting vulnerable drivers in the process.
This report by BlackBerry provides critical insights into the tactics and tools employed by the Cuba ransomware threat group, highlighting the need for robust security measures to counter their attacks.
