September 21, 2023 HAWKEYE

Cuba Ransomware Group Targets Critical Systems by Using Veeam Vulnerability

Using a mix of outdated and modern techniques, the Cuba ransomware group has been seen launching attacks against American critical infrastructure organizations and Latin American IT companies.


Early in June 2023, the most current campaign was identified; as of this writing, CVE-2023-27532 is being used by Cuba to steal credentials from configuration files, according to BlackBerry’s Threat Research and Intelligence team.

The specific vulnerability affects Veeam Backup and Replication (VBR) products, and an exploit has been available since March 2023. The use of CVE-2023-27532 by FIN7, an organization with several documented links to different ransomware operations, was previously made public by WithSecure.

Cuba Ransomware Group

In the years since it first debuted on the threat landscape in 2019, Cuba ransomware, also known as COLDDRAW ransomware, has built up a relatively small but carefully chosen list of victims. Due to a distinctive marker that is included at the start of all encrypted files, it is also known as Fidel ransomware. This file marker serves as a reminder that the file has been encrypted to the ransomware and its decoder.

Cuba employs the double-extortion strategy, like many other ransomware authors, to “encourage” victims to make a payment. Cuba has employed a consistent set of core TTPs for the past four years, with minor variations from year to year. These often include commercial and customized malware, vulnerabilities, LOLBins, and well-known reliable pen-testing frameworks like Cobalt Strike and Metasploit.

CVE-2023-27532 (Veeam)

This vulnerability affects the legitimate Veeam Backup & Replication software, allowing an attacker to potentially gain access to the credentials stored within the configuration file on the victim’s device. It is exploitable via the Veeam backup service, which runs on the default TCP port of 9401.

The exploit works by accessing an exposed API on a component of the Veeam application — Veeam.Backup.Service.exe. This vulnerability exists on any version of the Veeam Backup & Replication software prior to version 11a (build P20230227) and version 12 (build P20230223).

Infection Chain

The distribution and execution of BUGHATCH, a lightweight custom downloader most likely created by the Cuba ransomware group given it has only been observed being used by them in the wild, marks the start of the first stage. It connects to a command-and-control (C2) server and downloads the attacker’s preferred payload, which is often a tiny PE file or PowerShell script. Additionally, BUGHATCH has the ability to run files or instructions, including providing the operator with an option as to how a payload should be run.

Cuba operators used Metasploit to obtain a foothold in the target environment, especially to execute their dns_txt_query_exec payload that was hidden within the DLLs. They then proceeded to decode and run the shellcode in memory after being executed through certain exports. A DNS record or records are queried using a TXT query by the shellcode, which then executes the payload that is returned.

By employing the now-common BYOVD (Bring Your Own Vulnerable Driver) technique, Cuba disables endpoint security solutions. Additionally, it uses the “BurntCigar” module to terminate kernel processes associated with security products.

In addition to the recent Veeam vulnerability, Cuba also makes use of CVE-2020-1472 (“Zerologon”), a vulnerability in Microsoft’s NetLogon protocol that enables them to escalate privileges against AD domain controllers.

Cuba was seen employing different lolbins and Cobalt Strike beacons during the post-exploitation phase.

Cuba ransomware infection chain
Infection Chain (Source: Blackberry)


Tactic Technique
Initial Access T1133, T1078.003
Execution T1106, T1204.002, T1059.001, T1059.003, T1569.002, T1218.011
Defense Evasion T1211, T1548.002, T1140, T1562.001, T1036.005
Defense Evasion T1211, T1548.002, T1140, T1562.001, T1036.005
Privilege Escalation T1543.003, T1068
Discovery T1124, T1135, T1018, T1083, T1057, T1016.001
Lateral Movement T1570, T1333
Credential Access T1212
Command-and-Control T1219, T1090.003, T1071.004, T1071.001, T1105



Fix Version: To safeguard your environment against CVE-2023-27532, you may upgrade to the below fix versions:

12 (build P20230223)
11a (build P20230227)


Upgrade to the fix versions documented above.

  • Password policies mandating strong keyspace and enabling multi-factor authentication for all critical services.
  • Advanced endpoint security products on all endpoints to detect indicators of compromise (IOC) and take defensive action to block malicious payloads from executing.
  • Keeping all operating systems and software up to date and conducting regular vulnerability scanning and penetration testing of all network infrastructure, remediating any discovered vulnerabilities as soon as possible.
  • Implementing a principle of least privilege approach to security, including removing unnecessary access to administrative shares and other services.
  • Segmented networks and NIPS and NIDS to monitor network activity for anomaly behavior.
  • Hardening all endpoints, including employee workstations and servers, by disabling command-line and scripting activities and permissions and unrequired services to reduce the potential of a living off the land (LOTL)-type attacks.
  • A solid backup strategy that includes offline, encrypted, and immutable backups of data.
, , , , , , ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.