Cuba Ransomware Group Unleashes Undetectable Malware

Cyber Security Threat Summary:
Security researchers at Kaspersky have exposed the activities of the infamous ransomware group Cuba. In a recent advisory, Kaspersky revealed that this cyber-criminal gang has been targeting organizations across different industries worldwide. In December 2022, Kaspersky detected a suspicious incident on a client's system, which led to the discovery of three mysterious files triggering the komar65 library, also known as BUGHATCH. BUGHATCH is an advanced backdoor that operates in process memory, connecting to a Command-and-Control (C2) server to receive instructions. It can download software like Cobalt Strike Beacon and Metasploit, with indications pointing to Cuba's involvement due to its exploitation of vulnerabilities in Veeamp backup software. Furthermore, Kaspersky's investigation unveiled Russian-speaking members within the group, hinted at by references to the "komar" folder, meaning "mosquito" in Russian. The group has enhanced the malware with additional modules, including one responsible for gathering and sending system information to a server via HTTP POST requests.

Security Officer Comments:
Cuba is a ransomware strain that operates as a single file, making it difficult to detect. This Russian-speaking group targets various industries across North America, Europe, Oceania, and Asia, using both public and proprietary tools. They continually update their toolkit and employ tactics like BYOVD (Bring Your Own Vulnerable Driver) while manipulating compilation timestamps to confuse investigators. Despite being in the cybersecurity spotlight for a while, Cuba remains dynamic, constantly improving techniques such as data encryption and customized attacks to steal sensitive information. Kaspersky's report highlights the importance of staying informed and proactive against evolving cyber threats. They urge organizations to follow best practices to protect against ransomware. Gleb Ivanov, a cybersecurity expert at Kaspersky, emphasizes the need to access the latest reports and threat intelligence to stay ahead of evolving threats like Cuba.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.