Cuba ransomware attacks on the rise with new exploits

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory (CSA) with new details regarding Cuba Ransomware attacks.

Nearly a year ago, FBI warned in a flash alert of ransomware attacks that had compromised 49 entities in five critical infrastructure sectors, such as financial, government, healthcare, manufacturing, and information technology.

In the latest CSA update, new Indicators of Compromise (IoCs) and tactics, techniques, and procedures (TTPs) linked to Cuba actors have been discovered. To add, a big increase in the volume in cyberattacks have been identified via FBI investigations, third-party reporting, and open-source reporting.

“Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase,” CISA wrote in the advisory.

Moreover, CISA confirmed third-party and open-source reports have identified a possible link between Cuba ransomware, RomCom Remote Access Trojan (RAT), and Industrial Spy ransomware actors.

As of August 2022, FBI has linked Cuba ransomware actors to over 100 compromised entities worldwide and also have demanded over 145 million U.S. Dollars (USD). The bad actors received nearly half of what what was requested or 60 million USD in ransom payments.

Attack Details

As identified by Palo Alto Networks Unit 42 team, the Cuba ransomware actors have exploited a number of vulnerabilities and configuration weaknesses since the spring of this year, such as:

  • Exploited Windows Common Log File System (CLFS) driver elevation of privilege vulnerability (CVE-2022-24521) to steal system tokens and elevate privileges. This zero-day was patched in Microsoft’s April 2022 security update.
  • Used a PowerShell script to target service accounts for their associated Active Directory Kerberos tickets in order to collect and crack the Kerberos ticket via “Kerberoasting” technique.
  • Used a tool called KerberCache to extract cached Kerberos tickets from the victim’s host Local Security Authority Server Service (LSASS) memory.
  • Used a hacktool to exploit CVE-2020-1472 (aka “ZeroLogon”) to gain Domain Administrator (DA) privileges by requesting an NTLM hash from the domain controller.

In addition, third-party and open-source reports have linked Cuba Ransomware to RomCom and Industrial Spy Marketplace threats since the spring of this year. The bad actors have been using RomCom malware for command and control (C2), as well as using Industrial Spy ransomware to compromise a foreign healthcare company.

“The threat actors deployed Industrial Spy ransomware, which shares distinct similarities in configuration to Cuba ransomware. Before deploying the ransomware, the actors moved laterally using Impacket and deployed the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a C2 server,” CISA added.

Moreover, RomCom actors have “copied legitimate HTML code from public-facing webpages, modified the code, and then incorporated it in spoofed domains.”

As a consequence, the bad actors were then able to host counterfeit trojanized applications (such as SolarWinds NPM, KeyPass password manager, and Advanced IP Scanner software). The actors then deployed the RomCom RAT in the final stage.

Other ransomware attacks

In similar ransomware attacks, Advanced, a managed IT and software provider to the UK National Health Service, had confirmed this past October a security incident involving LockBit 3.0 ransomware attack

This past August, Zeppelin Ransomware has also been spotted threatening a wide range of businesses and critical infrastructure organizations.

In July 2022, Microsoft researchers also warned threat actors from North Korea have been using H0lyGh0st ransomware to target small and midsize businesses around the globe.

Readers can check out the Cuba Ransomware full report for more details on IoCs, TTPs, and mitigations.

Related Articles