Ransomware gang is exploiting flaws in backup software to attack infrastructure

Flaws in Veeam’s backup solution were abused

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A known ransomware gang is exploiting a high-severity vulnerability in enterprisebackupsolutions to deploy malware to their targets and steal login credentials.

This is according to a new report from BlackBerry’s Threat Research and Intelligence team, which claims that the hacking campaign started in early June this year. The organization behind it, known as Cuba, has been alleged by some cybersecurity experts to have ties to the Russian government.

Apparently, Cuba excludes endpoints with the Russian keyboard layout from its attacks and has a number of Russian 404 pages on its infrastructure. Furthermore, it targets (almost exclusively) organizations in the Western world, leading researchers to conclude that the attackers are likely state-aligned.

Critical targets

In this campaign, the group targeted “critical infrastructure organizations” in the United States, as well as IT firms in Latin America, although no names were mentioned.

To target these firms, Cuba abused CVE-2023-27532, a high-severity flaw discovered in Veeam Backup & Replication (VBR) tools. By using previously obtained administrator credentials, the attackers use RDP to infiltrate the target network and drop their custom downloader BugHatch.

The best firewall software>LockBit ransomware has cost victims millions in the US alone>The end of Reddit? Why the blackout is still going – and what happens next

A couple of additional steps are required before the network is fully compromised, though, including the deployment of a vulnerable driver to turn offendpoint protectiontools.

Given that the Veeam flaw has been around for a few months now, as well as the fact that a proof-of-concept is already available on the internet, deploying a patch is pivotal at this moment, warns BleepingComputer.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The publication added that Cuba also exploits CVE-2020-1472 (“Zerologon”), a vulnerability inMicrosoft’s NetLogon protocol, which gives the attackers privilege escalation against AD domain controllers.

Last time we heard from Cuba was in mid-April last year, when cybersecurity researchers from Mandiant observed the groupabusing flaws in Microsoft Exchangeto compromise corporate endpoints, harvest data, and deploy the COLDDRAW malware.

The experts’ report stated the group used ProxyShell and ProxyLogon vulnerabilities at least since August 2021 to plant various web shells, Remote Access Trojans (RAT), and backdoors on compromised systems.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Red One isn’t perfect but it proves we need more action-packed Christmas movies