- 203/2022
- High
Cuba is a ransomware family that appends the .cuba file extension to encrypted files. When executed this malware terminates services associated with common server applications and encrypts files on the local filesystem and attached network drives using an embedded RSA key.
Cuba ransomware operation has increased its activity recently and started to target financial organizations in the Middle East. A threat actor named “Tropical Scorpius” belongs to UNC2596 observed to impact new organizations using the Cuba Ransomware across multiple vectors, such as Local Government, Manufacturing, and Financial Services.
Tactics and Techniques:
- Initial access commences by exploiting hosts with potentially unwanted programs (PUP), remotely exploitable vulnerabilities, RDP software such as GoToAssist, or access brokers.
- UNC2596 is known to exploit vulnerabilities in Microsoft Exchange Server, including ProxyShell and ProxyLogon.
- The ransomware is executed by leveraging windows services such as PowerShell, and Task Schedule.
- Cuba ransomware can modify service files such as Boot and Logon execution, create local accounts, and modify system processes for persistence with tools like Metasploit and variants of known trojans such as ZenPak.
- Threat actors can escalate privileges through various techniques such as Access Token Manipulation using LOLBINs, or exploiting known vulnerabilities such as Zerologon.
- Cuba ransomware uses obfuscation techniques such as XOR algorithms to encode payloads to evade detection and leverages Defender Control to disable Microsoft Defender.
- Cuba obtains credentials by dumping LSA Secrets, keylogging, or by stealing Kerberos tickets.
- Cuba ransomware has different discovery techniques like getting system information by leveraging functions such as “FindFirstVolume”.
- The ransomware can advance through the environment by using Lateral Tool Transfer and pass-the-ticket techniques.
- Cuba group identifies potentially sensitive data and exfiltrates it off the environment to use extortion as a mechanism to coerce payments from their victims.
Indicators of Compromise
Indicators of compromise will be shared with EG-FinCIRT’s Constituents
Vulnerabilities
- CVE-2022-24521
- CVE-2020-1472
- CVE-2021-31207
- CVE-2021-34473
- CVE-2021-34523
Mitigations
- Enable machine learning, active adversary mitigations, and behavioral detection in endpoint security.
- If remote access is required, use a VPN with vendor best practices multi-factor authentication, password audits, and precise access control, in addition to actively monitoring remote accesses.
- Users logged into remote access services should have limited privileges for the rest of the corporate network.
- Administrators should adopt multi-factor authentication and use a separate administrative account from their normal operational account.
- Develop and implement a patching policy and baseline configuration standards for an operating system.
- Conduct cybersecurity awareness training to End- users.
- Search for existing signs of the indicated IoCs in your environment.
- Block all URL and IP-based IoCs at the organization’s security devices.
- Ensure anti-virus software and associated files are up to date.
- Set up an alert on events when AV agent loses the connection with the main panel.
- Backup your data using different backup destinations including Tape drives.
References
- https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cubaransomware.pdf
- https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-groups-new-variant-found-using-optimized-infect.html
- https://www.bleepingcomputer.com/news/security/hacker-uses-new-ratmalware-in-cuba-ransomware-attacks/
- https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/