- Every dad should build their toolkit with theses 10 DIY gadgets
- Broadcom grows revenues by 20% following VMware purchase, as customers fume about subscription costs
- How global threat actors are weaponizing AI now, according to OpenAI
- The viral Air Purifier Table is my smart home's MVP (and it's on sale for $179)
- Grab the Galaxy S25 Edge for $170 off and get a free Amazon gift card - but act fast
Cuba Ransomware Group Steals Credentials Via Veeam Exploit
A notorious Russian-speaking ransomware group has updated its attack tooling to include a Veeam exploit designed to harvest logins, according to BlackBerry.
The security-focused vendor said its discovery came from investigations into attacks by the Cuba group on a US critical national infrastructure provider and a South American IT integrator.
Now in its fourth year of operation, the group appears to be using a slightly tweaked set of tactics, techniques and procedures (TTPs) blending old and new tools and methods.
Among the new discoveries BlackBerry made was Cuba’s exploitation of CVE-2023-27532, which impacts Veeam Backup & Replication software, and is being used to steal credentials from configuration files on the victim’s device.
Read more on the Cuba group: Ukraine Warns of Cuba Ransomware Campaign
“The exploit works by accessing an exposed API on a component of the Veeam application – Veeam.Backup.Service.exe,” said BlackBerry. “This vulnerability exists on any version of the Veeam Backup & Replication software prior to the version 11a (build 11.0.1.1261 P20230227) and version 12 (build 12.0.0.1420 P20230223).”
The bug was also exploited by the FIN7 group back in March, BlackBerry added.
Elsewhere, Cuba exploited a legacy flaw in Microsoft NetLogon (CVE-2020-1472) and used custom and off-the-shelf tools such as custom downloader BugHatch, a Metasploit DNS stager, host enumeration tool Wedgecut, BurntCigar malware and numerous evasive techniques including Bring Your Own Vulnerable Driver (BYOVD).
Initial access in these studied compromises came from an administrator-level login via Remote Desktop Protocol (RDP). It’s likely that the Cuba group bought this from an initial access broker (IAB) or achieved it via vulnerability exploitation, BlackBerry said.
A joint advisory issued by the US authorities last year claimed Cuba ransomware had compromised around 100 organizations by August 2022, receiving as much as $60m in payments.
