Dec 2, 2022

SafeBreach Coverage for US-CERT Alert (AA22-335A) – Cuba Ransomware

On December 1, the Federal Bureau of Investigation (FBI) and the Cybersecurity Infrastructure Security Agency (CISA) released an advisory highlighting the use of new indicators of compromise (IOCs) and tactics techniques, and procedures (TTPs) leveraged by threat actors using Cuba ransomware to target U.S. entities in multiple critical infrastructure sectors. Details of this investigation (along with attacker TTPs and IOCs) were made available via US-CERT Alert (AA22-335A) #StopRansomware: Cuba Ransomware.

The FBI had originally released details about Cuba ransomware back in December 2021 via an FBI Flash CU-000156-MW. According to this latest advisory, the FBI’s investigation revealed that Cuba ransomware threat actors have added several new TTPs and now may be associated with RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.

The FBI also noted that since its December 2021 advisory, the Cuba ransomware threat actors had doubled its original target list of U.S. entities and now were targeting several critical infrastructure entities in the following sectors/verticals – Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology. This investigation has also revealed that over 100 entities have been compromised worldwide and the ransom amount demanded was over $145 million USD ($60 million of which was paid).

Additional Technical Details

The investigation revealed the following:

  • The Cuba ransomware threat actors have leveraged the following techniques to gain access to their targets  – known vulnerabilities in commercial software, phishing campaigns, compromised credentials, and legitimate remote desktop protocol (RDP) tools.
  • After initial access was gained, the threat actors were noticed distributing Cuba ransomware via Hancitor  – a loader frequently used for dropping or executing stealers (e.g., RATs) and other ransomware variants onto victim networks.
  • The threat actors were also noticed modifying their TTPs to interact with compromised victim networks and extort ransom payments.
  • The following vulnerabilities and weaknesses were leveraged to gain elevated privileges on compromised victim networks:
    • Exploited CVE-2022-24521 in the Windows Common Log File System (CLFS) driver to steal system tokens and elevate privileges.
    • Used a PowerShell script to identify and target service accounts for their associated Active Directory Kerberos ticket. The actors then collected and cracked the Kerberos tickets offline via Kerberoasting.
    • Used a tool, called KerberCache, to extract cached Kerberos tickets from a host’s Local Security Authority Server Service (LSASS) memory.
    • Used a tool to exploit CVE-2020-1472 (also known as “ZeroLogon”) to gain Domain Administrative privileges. This tool and its intrusion attempts have been reportedly related to Hancitor and QBot.
  • Cuba ransomware threat actors are able to evade detection during their lateral movement by leveraging a dropper that writes a kernel driver to the file system called ApcHelper.sys. This dropper targets and terminates any deployed security products.
  • The threat actors have also been noticed using double extortion,  – exfiltrating victim data before encrypting it and threatening to release it publicly if the ransom isn’t paid.

Reported Links to RomCom and Industrial Spy

It has been reported by several 3rd parties and open-source reports that Cuba ransomware actors have begun using RomCom RAT for command and control (C&C).  It is also believed that they may have leveraged Industrial Spy ransomware to target a foreign healthcare company. This Industrial Spy ransomware shares configuration similarities to Cuba ransomware. Before deploying the Industrial Spy ransomware, the threat actors moved laterally using Impacket and deployed the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a C2 server. It was noted that around May 2022, Cuba ransomware threat actors began selling the stolen data on the Industrial Spy’s online marketplace.

Important Note for SafeBreach Customers – Coverage for AA22-335A

As soon as details and IOCs were made available, corresponding new attacks were immediately added to the SafeBreach Hacker’s Playbook™ on December 2nd. It is important to note that some of the attack TTPs used by these threat actors were already available in the SafeBreach playbook. SafeBreach customers already had an existing level of protection against these threat actors if their security controls were validated against these known TTPs. NOTE: For a more comprehensive level of coverage against Cuba Ransomware, we would also recommend validating your security controls against the various attacks listed in the advisory for CU-000156-MW.

Newly added playbook methods for US-CERT Alert AA22-335A:

Cuba Ransomware:

  • #8141 – Write Cuba Ransomware (bfbf) malware to disk
  • #8142 – Transfer of Cuba Ransomware (bfbf) malware over HTTP/S
  • #8143 – Transfer of Cuba Ransomware (bfbf) malware over HTTP/S
  • #8144 – Email Cuba Ransomware (bfbf) malware as a ZIP attachment
  • #8145 – Email Cuba Ransomware (bfbf) malware as a ZIP attachment
  • #8146 – Write Cuba Ransomware (71b3) malware to disk
  • #8147 – Transfer of Cuba Ransomware (71b3) malware over HTTP/S
  • #8148 – Transfer of Cuba Ransomware (71b3) malware over HTTP/S
  • #8149 – Email Cuba Ransomware (71b3) malware as a ZIP attachment
  • #8150 – Email Cuba Ransomware (71b3) malware as a ZIP attachment
  • #8151 – Pre-execution phase of Cuba Ransomware (ecd0) malware
  • #8152 – Write Cuba Ransomware (ecd0) malware to disk
  • #8153 – Transfer of Cuba Ransomware (ecd0) malware over HTTP/S
  • #8154 – Transfer of Cuba Ransomware (ecd0) malware over HTTP/S
  • #8155 – Email Cuba Ransomware (ecd0) malware as a ZIP attachment
  • #8156 – Email Cuba Ransomware (ecd0) malware as a ZIP attachment
  • #8157 – Write Cuba Ransomware (f26c) malware to disk
  • #8158 – Transfer of Cuba Ransomware (f26c) malware over HTTP/S
  • #8159 – Transfer of Cuba Ransomware (f26c) malware over HTTP/S
  • #8160 – Email Cuba Ransomware (f26c) malware as a ZIP attachment
  • #8161 – Email Cuba Ransomware (f26c) malware as a ZIP attachment
  • #8162 – Write Cuba Ransomware (9944) malware to disk
  • #8163 – Transfer of Cuba Ransomware (9944) malware over HTTP/S
  • #8164 – Transfer of Cuba Ransomware (9944) malware over HTTP/S
  • #8165 – Email Cuba Ransomware (9944) malware as a ZIP attachment
  • #8166 – Email Cuba Ransomware (9944) malware as a ZIP attachment
  • #8167 – Write Cuba Ransomware (68a3) malware to disk
  • #8168 – Transfer of Cuba Ransomware (68a3) malware over HTTP/S
  • #8169 – Transfer of Cuba Ransomware (68a3) malware over HTTP/S
  • #8170 – Email Cuba Ransomware (68a3) malware as a ZIP attachment
  • #8171 – Email Cuba Ransomware (68a3) malware as a ZIP attachment
  • #8172 – Write Cuba Ransomware (4c42) malware to disk
  • #8173 – Transfer of Cuba Ransomware (4c42) malware over HTTP/S
  • #8174 – Transfer of Cuba Ransomware (4c42) malware over HTTP/S
  • #8175 – Email Cuba Ransomware (4c42) malware as a ZIP attachment
  • #8176 – Email Cuba Ransomware (4c42) malware as a ZIP attachment

Industrial Spy:

  • #8177 – Pre-execution phase of Industrial Spy malware
  • #8178 – Write Industrial Spy malware to disk
  • #8179 – Transfer of Industrial Spy malware over HTTP/S
  • #8180 – Transfer of Industrial Spy malware over HTTP/S
  • #8181 – Email Industrial Spy malware as a ZIP attachment
  • #8182 – Email Industrial Spy malware as a ZIP attachment
  • ROMCOM RAT:
  • #8183 – Write ROMCOM RAT malware to disk
  • #8184 – Transfer of ROMCOM RAT malware over HTTP/S
  • #8185 – Transfer of ROMCOM RAT malware over HTTP/S
  • #8186 – Email ROMCOM RAT malware as a ZIP attachment
  • #8187 – Email ROMCOM RAT malware as a ZIP attachment

ZeroLogon Hacktool:

  • #8188 – Write ZeroLogon Hacktool malware to disk
  • #8189 – Transfer of ZeroLogon Hacktool malware over HTTP/S
  • #8190 – Transfer of ZeroLogon Hacktool malware over HTTP/S
  • #8191 – Email ZeroLogon Hacktool malware as a ZIP attachment
  • #8192 – Email ZeroLogon Hacktool malware as a ZIP attachment

KerberCache:

  • #8193 – Write KerberCache malware to disk
  • #8194 – Transfer of KerberCache malware over HTTP/S
  • #8195 – Transfer of KerberCache malware over HTTP/S
  • #8196 – Email KerberCache malware as a ZIP attachment
  • #8197 – Email KerberCache malware as a ZIP attachment

Hancitor:

  • #8198 – Write Hancitor malware to disk
  • #8199 – Transfer of Hancitor malware over HTTP/S
  • #8200 – Transfer of Hancitor malware over HTTP/S
  • #8201 – Email Hancitor malware as a ZIP attachment
  • #8202 – Email Hancitor malware as a ZIP attachment

Previously available playbook attacks for AA22-335A:

  • Impair Defenses: Disable or Modify Tools
    • #2267 – Add an exclusion to Windows Defender using PowerShell
    • #2389 – Modify Firewall Rules using netsh.exe
    • #5107 – Stop a service using net stop command
    • #7144 – Unregister anti-malware scanning interface providers
    • #7834 – Add Exclusions to Windows Defender
    • #7835 – Disable Windows Defender from Registry
  • Credential Dumping: LSASS Memory
    • #1220 – Inject Mimikatz using PowerShell to Extract Credentials
    • #2273 – Pass the Hash over SMB using Mimikatz
    • #3819 – Windows Credentials Collection using LaZagne
    • #3829 – Run obfuscated Mimikatz on host
    • #6127 – Extract LSASS memory dump using PowerShell and Rundll32
    • #6473 – Agentless lateral movement via RDP
    • #6513 – Agentless lateral movement via SMB and RCE, using Mimikatz
    • #6514 – Carbanak UAC Bypass and Credential Dumping
    • #794 – Extract Login Information using MimiKatz
  • ZeroLogon
    • #5487 – Exploit CVE-2020-1472 ZeroLogon
    • #6246 – Exploit ZeroLogon (CVE-2020-1472) (Windows)
    • #5718 – Pre-execution phase of SharpZeroLogon malware
    • #5719 – Write SharpZeroLogon malware to disk
    • #5720 – Transfer of SharpZeroLogon malware over HTTP/S
    • #5721 – Transfer of SharpZeroLogon malware over HTTP/S
    • #5722 – Email SharpZeroLogon malware as a ZIP attachment
    • #5723 – Email SharpZeroLogon malware as a ZIP attachment
  • Meterpreter
    • #1042 – Remote Control using Meterpreter to Execute File Commands
    • #262 – Remote Control using Meterpreter to Execute Persistence Commands
    • #263 – Remote Control using Meterpreter to Change System Configuration
    • #264 – Remote Control using Meterpreter to Execute File Commands
    • #7659 – Pre-execution phase of Meterpreter malware
  • Steal or Forge Kerberos Tickets: Kerberoasting
    • #2205 – Extract NTLM Hashes using Invoke-Kerberoast (PowerShell)
  • Proxy: Manipulate Command and Control Communications
    • #7046 – Communication via TOR (Windows)
    • #7167 – Covert data asset exfiltration over TOR (Windows)




What You Should Do Now

Attack methods related to US-CERT Alert AA22-335A are ready to run across your simulators. Select the US-CERT Alert AA22-335A (Cuba Ransomware) report from the Known Attack Series report and select Run Simulations, which will run all attack methods.

You can also select all the attacks related to US-CERT Alert AA22-335A by going to the SafeBreach playbook and filtering by Threat Name – US-CERT Alert AA22-335A (Cuba Ransomware).

You can also go to the “SafeBreach Scenarios” page and choose the US-CERT Alert AA22-335A (Cuba Ransomware) scenario from the list of available scenarios.

NOTE: The following actions have been recommended by CISA and the FBI to mitigate any threat arising from these threat actors:

  • Validate Security Controls – CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
  • Prioritize remediating known exploited vulnerabilities.
  • Train users to recognize and report phishing attempts.
  • Enable and enforce phishing-resistant multifactor authentication.

Additional Useful Resources

Get the latest
research and news