The Cuba ransomware operation has been observed targeting critical infrastructure organizations in the US and IT firms in Latin America using an exploit for a Veeam vulnerability to steal credentials from configuration files.

Tracked as CVE-2023-27532, the flaw in question is a missing authentication issue within the Veeam.Backup.Service.exe. It allows remotely connect to the affected service that is listening on port 9401/TCP, obtain encrypted credentials stored in the configuration database and use this information to access the backup infrastructure hosts.

In a recent campaign first spotted by BlackBerry's Threat Research and Intelligence team in June 2021, the threat actor believed to be of Russian origin deployed a set of old and new tools. These included the custom downloader Bughatch, an antimalware killer called Burntcigar, Metasploit, and Cobalt Strike frameworks, along with numerous Living-off-the-Land Binaries (LOLBINS). The researchers have also observed several publicly available exploits.

In the observed attack, the Cuba ransomware operators gained initial access to the victim’s network via Remote Desktop Protocol (RDP) likely using credentials obtained through other means.

BlackBerry’s threat research team said that they found two exploits deployed in this campaign, which align with the previous group’s modus operandi. However, this appears to be the first time Cuba exploited the CVE-2023-27532 vulnerability.

Besides the Veeam bug, the threat actor has been seen exploiting CVE-2020-1472 (aka Zerologon), a flaw in Microsoft's NetLogon protocol, which gives them privilege escalation against AD domain controllers. The binary used to exploit this vulnerability in this campaign is the same one previously used by the Cuba operators across multiple attacks from 2022 to the present, the researchers noted.

“The Cuba ransomware operators continue to recycle network infrastructure and use a core set of TTPs that they have been subtly modifying from campaign to campaign, often adopting readily available components to upgrade their toolset whenever the opportunity arises. An example of this is a change in the use of exploits for key vulnerabilities; whereas they have been previously seen exploiting CVE-2020-1472/ Zerologon, this appears to be the first time they targeted CVE-2023-27532/ Veeam,” the report concluded. “In addition, the threat actor has made some under-the-hood modifications to some of their custom tooling, likely as a mechanism to impede both detection and analysis. Any updates are likely designed to optimize its execution during campaigns, and we expect to see persistent activity from this group in the near future.”