Cuba ransomware and Veeam CVE-2023-27532

We continue to read that Cuba Ransomware attacks Veeam Backup servers that are unpatched, unmaintained, or outdated. The Cuba ransomware group is exploiting a bug in data backup software exposed in March, warn security experts. It’s even been claimed that they have added a new set of tools to their arsenal along with CVE-2023-27532, the Veeam vulnerability.


The latest campaign was spotted in early June 2023 by BlackBerry’s Threat Research and Intelligence team, who reports that Cuba now leverages an exploit for the Veeam vulnerability CVE-2023-27532 to steal credentials from configuration files.


While the technical details are fascinating, what strikes me as commendable is BlackBerry’s sense of corporate responsibility. Prior to publicizing their findings, they shared critical information privately with relevant authorities, contributing to the collective security posture of organizations globally.

If you use Veeam please be aware this bug has been actively used in cyber attacks on organizations. In addition to the Threat Actors gaining control of administrative credentials, they also have gained access to Veeam cloud backup target data and have exfiltrated and deleted backups making it hard to impossible for organizations to rebuild. If you need help understanding this attack or how we can help you prevent these types of attacks give me a call.

Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts.

Severity: High
CVSS v3 score: 7.5

The exploit works by accessing an exposed API on a component of the Veeam application – Veeam.Backup.Service.exe, which exists on any version of the Veeam Backup and Replication software prior to version 11a and version 12.

Cuba’s toolkit includes a custom downloader known as Bughatch, a utility dubbed BurntCigar that terminates processes such as anti-malware endpoint solutions, and the Metasploit and Cobalt Strike frameworks, along with numerous “living off the land” binaries.

Cuba ransomware first appeared on the threat landscape in 2019. It is known for actively targeting critical infrastructure sectors including financial institutions, government buildings, the healthcare sector, manufacturing and information technology.

The group is known for stealing data before leaving systems maliciously encrypted and then leaking the data to try and force recalcitrant victims to pay. Its name comes from the .cuba extension it adds to encrypted files and its predilection for using Cuban revolutionary kitsch artwork.


How to Protect Your Data from Cuba Ransomware?

  • Apply the Veeam patch and secure your infrastructure against this vulnerability and others.
  • Share this post with your network to help them stay safe from ransomware attacks and Cybersecurity awareness.

The most common element of an incident response playbook is a good backup:

87% of organizations have a risk management program that drives their security roadmap or strategy. That said, only 35% believe their program is working well, while 52% are seeking to improve their situation and the remaining 13% do not yet even have an established program.

Regardless of what you call your program or team that is chartered with planning against cyber events and preparing for how the organization will deal with them, the most common elements of the ‘playbook’ in preparation against a cyber attack are:

  • Clean backup copies, which one might presume includes data that is ‘survivable’ against attacks and does not include malicious code,
  • Recurring verification that the backups are recoverable.

45% of production data was affected by a cyber attack:

This is unfortunately consistent with last year’s 47% affected statistic, with no reason to assume future attacks won’t result in a similar catastrophic amount of data loss or impact.

On average, organizations stated that 45% of their production data was affected by the cyber attack. In looking at the extremes, 25% had a small portion (<20%) of their data affected, while 14% had nearly all (>80%) of their data affected by the attack.

Unfortunately, only 66% of the affected data was recoverable. This calculates that 15% of the organizations’ production data was unrecoverably lost.

As an aside, cyber victims were also asked of their confidence before and after the attack.

In hindsight, only 59% considered themselves ‘prepared’ — and even then, the results did not vary greatly on how impactful the attack was.

Cartels were able to affect the backup repositories in 75% of attacks:

Said another way, one in four organizations had backups to restore from, which is down from last year when one in three organizations had survivable backups.

In fact, bad actors targeted the backup repositories in at least 93% of attacks in 2022, nearly identical to the 94% of repositories that were targeted in 2021. The respondents who stated that “some,” “most” or “all” of their repositories were affected, reveal that on average, 39% of backup repositories were affected.

Secure Backup is your last line of defense:

Defense-in-depth – target to hit:

First, respect this rule: 3-2-1-1-0 (with Trusted Immutability, one Offline Backup, and Backup Verification).

Second, protecting your Backup Server and integrating Trusted Repository Storage, Offline Backup (Tape, example: Quantum Active Vault) or Dell EMC Cyber Recovery (air-gapped backup through a sanctuary), or Immutable (Immutable Backup feature, Retention Time Lock with ExaGrid, Retention Lock with Dell EMC DataDomain, Snapshot feature in Quantum’s DXi appliance, HPE StoreOnce with Data Immutability, Object Lock with Object Storage solution such as Dell EMC ECS or DataCore SWARM, or Wasabi, etc.), Hardening (server, storage, OS..). Enabling snapshot protection such as Pure Storage Safe Mode or Dell EMC Secure Snap. Maintaining developed protocols of access rights hierarchy, Zero Trust, network security (segmentation, VLAN dedicated for Backup components), Backup environment not integrated into the domain (100% of attacks exploits a weakness of the Active Directory), and password hygiene, take care of your Local Accounts & segment your passwords into different Passwords Management tools (especially local accounts and CISO/Security Officer accounts). Enabling double-authentication on the management interface (storage hardware, appliances, etc.). Never leave your Password Management tool open on your workstation, and never store it on the Filer Servers. Protect your NTP. Anonymizing the name of backup servers and repositories – and the name of service accounts, creating a HoneyPot backup environment, creating fake backup services accounts without permissions (svc_backup and with all backup vendors) then monitoring them with AD alerting in real-time solution (such as Netwrix, Varonis, Tenable.AD), as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Pay successfully removing backups. Secure backup solutions and mitigations listed will enable any possible victims to leave Pay without their demanded ransom money. Keep in mind backup is a building block of the cybersecurity ecosystem.

It is still worth trying to check more backup files, but it’s only about the time needed for getting the headers and checking them with a chance something can be restored from there, and time that can be used to rebuild that infrastructure.

You can get headers of multiple files, Backup solution vendor can check all of them.


How to recover? First 48 hours crucial:

    -CERT or INSURER: Get experts on the phone fast to assess what should be considered,
    -Forensics Expert: Assessing the damage caused by a third party and if the attacker is still in the infrastructure,
    -Law Enforcement: Make sure the correct law enforcement bodies have been notified,
    -Backup Vendor: The current state of the backups is crucial for recovery and for forensics experts to find potential entry points. A company like Monaco Digital can manage the Backup Team (stream) during a cyber crisis (forensic on the backup environment, analyzing the logs, identifying safe assets, understanding the lateral movement of the attackers, rebuilding a circumstance backup environment that respects the best practices, etc.), then collaborate with the Crisis Team and the Global Forensic Team,
    -Partners with knowledge: Recovering from a ransomware attack is a marathon not a sprint! Make sure you help your IT departments with strong partners (such as Monaco Digital and Monaco Cyber Securité for example).


Akira ransomware infection routine: Blog Post
Veeam User Group Day in Monaco: Blog Post
2023 Ransomware Trends Report
Critical FortiOS & FortiProxy – Heap buffer overflow Vulnerability: Blog Post
Critical FortiOS and FortiProxy Vulnerability – FG-IR-23-001: Blog PostImportant Vulnerability in VMware ESXi: Blog Post
The core function of a SOC: Blog Post
Play ransomware infection routine: Blog Post
Identify a piece of malware with Yara: Blog Post
New Veeam v12 Platform Overview: Blog Post
OpenSSL patch (v3.0.7) for Vulnerability 2022: Blog Post
Building a SOC: Blog Post
List of vendors and software affected by the OpenSSL vulnerability: Blog Post
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post

Please follow and like us:

Enjoy this blog? Please spread the word :)