Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
The group adds to its toolkit with shouts of "Viva la Revolución!".
Cybercrime group Cuba continues to attack critical infrastructure in the United States and IT companies in Latin America. According to a report from the BlackBerry team, hackers have started exploiting a new vulnerability identified as CVE-2023-27532.
This vulnerability affects Veeam Backup products & Replication (VBR). The operational code for it has been available since March 2023. Previously, the same flaw allowed the FIN7 group to conduct ransomware campaigns.
The BlackBerry team explained: first, Cuba uses stolen administrator credentials to gain access to systems via RDP (Remote Desktop Protocol). Brute-force passwords are not required for this purpose. Then, using its own download tool "BugHatch", Cuba communicates with the management server and downloads DLL files or executes the necessary commands.
To break into the target environment, attackers use the DNS stager in Metasploit, which decrypts and runs the shellcode in RAM. Cuba also uses the BYOVD (Bring Your Own Vulnerable Driver) technique to disable security features and the "BurntCigar" tool to complete security processes.
In addition to a new vulnerability in Veeam products, hackers are exploiting the vulnerability CVE-2020-1472 ("Zerologon") in Microsoft's NetLogon protocol. It allows you to get advanced access to Active Directory domain controllers. Further, Cobalt Strike beacons and various" lolbins " help to control the system remotely.
According to BlackBerry, the group is driven by financial interest.
American researchers warn that Cuba has remained an active threat for about four years. The inclusion of CVE-2023-27532 in its arsenal only complicates matters. We advise you to update Veeam's security mechanisms in a timely manner. It is especially important not to delay, as there are already publicly available examples of how this vulnerability can be exploited.
Cybercrime group Cuba continues to attack critical infrastructure in the United States and IT companies in Latin America. According to a report from the BlackBerry team, hackers have started exploiting a new vulnerability identified as CVE-2023-27532.
This vulnerability affects Veeam Backup products & Replication (VBR). The operational code for it has been available since March 2023. Previously, the same flaw allowed the FIN7 group to conduct ransomware campaigns.
The BlackBerry team explained: first, Cuba uses stolen administrator credentials to gain access to systems via RDP (Remote Desktop Protocol). Brute-force passwords are not required for this purpose. Then, using its own download tool "BugHatch", Cuba communicates with the management server and downloads DLL files or executes the necessary commands.
To break into the target environment, attackers use the DNS stager in Metasploit, which decrypts and runs the shellcode in RAM. Cuba also uses the BYOVD (Bring Your Own Vulnerable Driver) technique to disable security features and the "BurntCigar" tool to complete security processes.
In addition to a new vulnerability in Veeam products, hackers are exploiting the vulnerability CVE-2020-1472 ("Zerologon") in Microsoft's NetLogon protocol. It allows you to get advanced access to Active Directory domain controllers. Further, Cobalt Strike beacons and various" lolbins " help to control the system remotely.
According to BlackBerry, the group is driven by financial interest.
American researchers warn that Cuba has remained an active threat for about four years. The inclusion of CVE-2023-27532 in its arsenal only complicates matters. We advise you to update Veeam's security mechanisms in a timely manner. It is especially important not to delay, as there are already publicly available examples of how this vulnerability can be exploited.
