cuba-ransomware

Analysis

On 1st December 2022, Cybersecurity and infrastructure security agencies and the Federal bureau of investigation jointly issued an advisory on Cuba ransomware, it was reported that the ransomware group is actively targeting sectors such as financial services, healthcare, public health, Government facilities, Information technology and Manufacturing.

FBI has identified the threat actors have compromised over 101 entities, where 65 in the united states and 36 outside the united states, it was also found to be that they have demanded around 145 million USD and have claimed around 60 million USD as a ransom.

The Cuba ransomware threat actors use methods such as vulnerabilities, phishing campaigns, compromised credentials and RDP tools to gain initial access. According to Palo alto networks the threat actors exploit CVE-2022-24521 in windows common log file system driver to steal system tokens and elevate privileges and used a power shell script to identify and target service accounts for their associated AD Kerberos ticket. The actors then collected and cracked the Kerberos tickets offline via kerberoasting, and used a tool called kerbercache to extract cached kerberos tickets from a host’s local security authority server service, they also use a tool named “zerologon” to gain domain administrative privileges.

Finally, the threat actor uses ApcHelper.sys file to terminate the security products, in addition to deploying ransomware, the threat actors use double extortion techniques to exfiltrate victim data and demands a ransom to decrypt the data.

Prevention

  • Use Antivirus or EDR in all endpoints.
  • Patch the known vulnerabilities at regular intervals.
  • Harden the Network, System, and Application configuration.
  • Take regular backups of end devices to reduce the impact of ransomware attacks.

Detection

Create rules based on known indicators of ransomware in the SIEM (Security incident event management) tool for the detection of ransomware.

MITRE ATT&CK® Techniques

Technique ID Technique Name
T1584.001 Compromise Infrastructure: Domains
T1078 Valid Accounts
T1133  External Remote Services
T1190  Exploit Public-Facing Application
T1566  Phishing
T1059.001 Command and Scripting Interpreter: PowerShell
T1072  Software Deployment Tools
T1068  Exploitation for Privilege Escalation
T1562.001 Impair Defences: Disable or Modify Tools
T1563.002 Remote Services Session: RDP Hijacking
T1003.001 Credential Dumping: LSASS Memory
T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting
T1090 Manipulate Command and Control Communications

Indicators of Compromise (IOCs)

Type Indicator
SHA256  f1103e627311e73d5f29e877243e7ca203292f9419303c661aec57745eb4f26c
SHA256  a7c207b9b83648f69d6387780b1168e2f1eabd23ae6e162dd700ae8112f8b96c
SHA256  141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944
IPs 193.23.244[.]244, 31.184.194[.]42, 104.217.8[.]100.
URL

http://babbedidndu.ru/ls5/forum[.]php

http://fabickng.ru/7/forum[.]php

http://facabeand.com/sliva/gate[.]php

Note: Refer link in the references section for more IOCs.

References

CISA.gov

 

# Managed Security Services

Recent Threat Bulletin

A report on Jenkins CVE-2024-23897 vulnerability
Ivanti Zero-Day Vulnerabilities: Connect Secure and IPS
Unmasking Androxgh0st: A deep dive to safeguard your network

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.

logo-img

Positka specializes in high-end technology solutions to help businesses improve their IT infrastructure with advanced Security Protocols, excellence in Analytics, Streamlined IT Operations, & around-the-clock Managed services.

Quick Links

Services

Copyright Positka © . All Rights Reserved.