Security News > 2023 > August > Cuba ransomware uses Veeam exploit against critical U.S. organizations
![Cuba ransomware uses Veeam exploit against critical U.S. organizations](/static/build/img/news/cuba-ransomware-uses-veeam-exploit-against-critical-u-s-organizations-medium.jpg)
The Cuba ransomware gang was observed in attacks targeting critical infrastructure organizations in the United States and IT firms in Latin America, using a combination of old and new tools.
BlackBerry's Threat Research and Intelligence team, which spotted the latest campaign in early June 2023, reports that Cuba now leverages CVE-2023-27532 to steal credentials from configuration files.
Apart from the Veeam flaw that's relatively recent, Cuba also exploits CVE-2020-1472, a vulnerability in Microsoft's NetLogon protocol, which gives them privilege escalation against AD domain controllers.
BlackBerry underlines the clear financial motivation of the Cuba ransomware gang and mentions that the threat group is likely Russian, something that has been hypothesized by other cyber-intelligence reports in the past.
In conclusion, Cuba ransomware remains an active threat approximately four years into its existence, which isn't common in ransomware.
The inclusion of CVE-2023-27532 in Cuba's targeting scope makes the prompt installation of Veeam security updates extremely important and once again highlights the risk of delaying updates when publicly available PoC exploits are available.
News URL
Related news
- Exploit for critical Veeam auth bypass available, patch now (source)
- Exploit for critical Progress Telerik auth bypass released, patch now (source)
- London hospitals left in critical condition after ransomware attack (source)
- TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers (source)
- Exploit for Veeam Recovery Orchestrator auth bypass available, patch now (source)
- Ollama drama as 'easy-to-exploit' critical flaw found in open source AI server (source)
- Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released (source)
- PoC exploit for critical Fortra FileCatalyst flaw published (CVE-2024-5276) (source)
- Hackers exploit critical D-Link DIR-859 router flaw to steal passwords (source)
- New Ransomware Group Exploiting Veeam Backup Software Vulnerability (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-10 | CVE-2023-27532 | Missing Authentication for Critical Function vulnerability in Veeam Backup & Replication 11.0.1.1261/12.0.0.1420 Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. | 7.5 |
2020-08-17 | CVE-2020-1472 | Use of Insufficiently Random Values vulnerability in multiple products An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). | 5.5 |