In a flash alert, the Federal Bureau of Investigation (FBI), in coordination with DHS/CISA, identified that since early November 2021, Cuba ransomware had infiltrated around 49 entities; from the critical infrastructure sector such as financial, government, healthcare, manufacturing, and information technology in the country.
Per the flash alert, Cuba ransomware actors use “.cuba” extension for the encryption of the target files and infiltrate the network. The ransomware gang has supposedly demanded at least $74 million and received at least $43.9 million in ransom payments.
The Group-IB Threat Intelligence and Attribution team discovered that the threat actors actively use Hancitor to deploy Cuba ransomware. According to the team, Cuba ransomware has been active since at least January 2020. Its operators have a DLS site, where they post exfiltrated data from their victims who refused to pay the ransom. It added that the Hancitor downloader has been active since at least 2016 for dropping Pony and Vawtrak. As a loader, it has been used to download other malware families, such as Ficker stealer and NetSupport RAT, to compromised hosts. The Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Subsequently, Cuba ransomware actors use legitimate Windows services — such as PowerShell, PsExec, and other unspecified services — and then leverage Windows Admin privileges to execute their ransomware and other processes remotely.
The FBI explained the technical working of the malicious ransomware. It stated, “Cuba ransomware, upon compromise, installs and executes a CobaltStrike beacon as a service on the victim’s network via PowerShell. Once installed, the ransomware downloads two executable files, which include “pones.exe” for password acquisition and “krots.exe,” also known as KPOT, enabling the Cuba ransomware actors to write to the compromised system’s temporary (TMP) file. Once the TMP file is uploaded, the “krots.exe” file is deleted and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com.”
Following mitigations have been suggested to ease the risk of compromise by Cuba ransomware:
As the festive season witnesses a significant spike in premediated cybercrimes, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI remind all organizations – big or small – and critical infrastructure partners that malicious actor groups are proactively launching premeditated cyberattacks.
The authorities had issued advisories for organizations, especially critical infrastructure and services, to assess the current security posture and implement best practices and mitigations to attenuate the threat posed by cyberattacks.
Despite the alerts, we continue to see a rise in the number of ransomware attack victims. Many organizations give in to these demands to safeguard their reputation, critical information, data, and financial status.
Satya Gupta, Cofounder and CTO, Virsec, opined, “Critical infrastructure will remain a highly lucrative target. There is a subtle but massive change in attacker tactics that is taking place and we are at risk of being totally blindsided. Attackers are increasingly burrowing their attacks deep in the software runtime by exploiting vulnerabilities. Being deeper in the software’s runtime helps attackers evade early discovery as evidenced by this group’s method.”
“While many vulnerability disclosures are accompanied by a software patch, the most sophisticated attackers often leverage undisclosed vulnerabilities. In a recent interview, CISA Director Jen Easterly remarked that more than ‘90 percent of vulnerabilities exploited by ransomware have patches associated with them.’ What is left unsaid is that 10% attacks are vulnerabilities for which patches are not available. Irrespective, patching is not a successful security strategy. This is because even if a patch were available, many entities will drag their heels in deploying the patch.”
Government authorities have also prioritized ransomware attacks and are pressurizing ransomware groups to cease operations to address the growing menace.
See also: Biden Administration and Tech Giants Come Together to Raise Bar on Cybersecurity
Organizations need to be on a constant alert and review their security posture at a micro-level as threat actors are actively scouting for the smallest vulnerability and launching their vicious attack.
Gupta expressed, “The only way organizations can truly protect themselves is by deploying runtime security controls that take away the attacker’s ability to successfully exploit vulnerabilities. These controls will stop attackers, in milliseconds, from successfully exploiting vulnerabilities. This type of protection is not only possible, but mandatory if we want to prevent further successful ransomware attacks.”
The post Cuba Ransomware Infringed 49 Critical Infrastructure Entities appeared first on CISO MAG | Cyber Security Magazine.
Click to Open Code Editor