Analysis
On 1st December 2022, Cybersecurity and infrastructure security agencies and the Federal bureau of investigation jointly issued an advisory on Cuba ransomware, it was reported that the ransomware group is actively targeting sectors such as financial services, healthcare, public health, Government facilities, Information technology and Manufacturing.
FBI has identified the threat actors have compromised over 101 entities, where 65 in the united states and 36 outside the united states, it was also found to be that they have demanded around 145 million USD and have claimed around 60 million USD as a ransom.
The Cuba ransomware threat actors use methods such as vulnerabilities, phishing campaigns, compromised credentials and RDP tools to gain initial access. According to Palo alto networks the threat actors exploit CVE-2022-24521 in windows common log file system driver to steal system tokens and elevate privileges and used a power shell script to identify and target service accounts for their associated AD Kerberos ticket. The actors then collected and cracked the Kerberos tickets offline via kerberoasting, and used a tool called kerbercache to extract cached kerberos tickets from a host’s local security authority server service, they also use a tool named “zerologon” to gain domain administrative privileges.
Finally, the threat actor uses ApcHelper.sys file to terminate the security products, in addition to deploying ransomware, the threat actors use double extortion techniques to exfiltrate victim data and demands a ransom to decrypt the data.
Prevention
- Use Antivirus or EDR in all endpoints.
- Patch the known vulnerabilities at regular intervals.
- Harden the Network, System, and Application configuration.
- Take regular backups of end devices to reduce the impact of ransomware attacks.
Detection
Create rules based on known indicators of ransomware in the SIEM (Security incident event management) tool for the detection of ransomware.
MITRE ATT&CK® Techniques
Technique ID | Technique Name |
T1584.001 | Compromise Infrastructure: Domains |
T1078 | Valid Accounts |
T1133 | External Remote Services |
T1190 | Exploit Public-Facing Application |
T1566 | Phishing |
T1059.001 | Command and Scripting Interpreter: PowerShell |
T1072 | Software Deployment Tools |
T1068 | Exploitation for Privilege Escalation |
T1562.001 | Impair Defences: Disable or Modify Tools |
T1563.002 | Remote Services Session: RDP Hijacking |
T1003.001 | Credential Dumping: LSASS Memory |
T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting |
T1090 | Manipulate Command and Control Communications |
Indicators of Compromise (IOCs)
Type | Indicator |
SHA256 | f1103e627311e73d5f29e877243e7ca203292f9419303c661aec57745eb4f26c |
SHA256 | a7c207b9b83648f69d6387780b1168e2f1eabd23ae6e162dd700ae8112f8b96c |
SHA256 | 141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944 |
IPs | 193.23.244[.]244, 31.184.194[.]42, 104.217.8[.]100. |
URL |
http://babbedidndu.ru/ls5/forum[.]php http://fabickng.ru/7/forum[.]php http://facabeand.com/sliva/gate[.]php |
Note: Refer link in the references section for more IOCs.
References
CISA.gov