Skip to main content
  • EN

As reported by many news like Bleeping Computer:

https://www.bleepingcomputer.com/news/security/cuba-ransomware-uses-veeam-exploit-against-critical-us-organizations/

Veeam exploit CVE-2023-27532 is currently used to steal credentials from configuration files.

However it’s important to note that first attack vector used to get access isn’t a Veeam product, but stolen credentials of critical servers RDPs accessible via internet AND Microsoft Zerologon exploit.

Patch for Veeam’s products was already released in March of this year:

https://www.veeam.com/kb4424

and as mentioned several times, best practices says that Veeam servers must not be accessible from the Internet.

 

Are you new? Read these:

 

Good reminder..thanks for sharing Marco!

Are you new? Read these:

 

I chuckled, but I guess there’s certainly an element of truth here….thanks for sharing Marco!

Oh I was writting a post about it too.

If you want more technical analysis : https://blogs.blackberry.com/en/2023/08/cuba-ransomware-deploys-new-tools-targets-critical-infrastructure-sector-in-the-usa-and-it-integrator-in-latin-america

Oh I was writting a post about it too.

If you want more technical analysis : https://blogs.blackberry.com/en/2023/08/cuba-ransomware-deploys-new-tools-targets-critical-infrastructure-sector-in-the-usa-and-it-integrator-in-latin-america

I think the most important thing is that attack isn’t due to Veeam exploit, but to lost rdp credentials.

Thanks for sharing this.  Always secure your Veeam environment and then this won't happen. Nice to see it is not directly Veeam itself.

Hope there are not too many unpatched Veeams left.… 😔

Having read the link @marcofabbri shared that BlackBerry reports that Cuba's initial access vector appears to be compromised admin credentials via RDP, not involving brute forcing.

  • This should be the talking point. With an Administrators credentials, you are aware of the harm an attacker can perpetuate via lateral movement etc.

Also, in a secure environment, you should not be able some tools capable of exploiting you. There are policies for this. 

  • Also, if you are connecting to a remote server and you are scared of MiTM attach, read this guide and fix rdp connection issues.

If your remote server is compromised and you do not want to connect to it, you could use any of the methods discussed in this link or below.

> Cuba utilizes the now-widespread BYOVD (Bring Your Own Vulnerable Driver) technique to turn off endpoint protection tools. Also, it uses the 'BurntCigar' tool to terminate kernel processes associated with security products.

Even Microsoft Defender AV can be further protected with the “Tamper Protection” from this kind of scenario. Yes, it has some drawback due to the lack of a central management platform. Except you decide to use tools such as ACMP or Defender for Endpoint etc. Other AV solutions have even better protection and reporting capabilities if the right features are enabled to protect your organisation endpoints.

 

> Apart from the Veeam flaw that's relatively recent, Cuba also exploits CVE-2020-1472 ("Zerologon"), a vulnerability in Microsoft's NetLogon protocol, which gives them privilege escalation against AD domain controllers.

As you can see, there are other exploits and this is very normal. When there are workaround or patches against any flaws, you have to apply them immediately and this validates this statement from them “The inclusion of CVE-2023-27532 in Cuba's targeting scope makes the prompt installation of Veeam security updates extremely important and once again highlights the risk of delaying updates when publicly available PoC (proof-of-concept) exploits are available”.

Happy I’m up to date but always good to remember how important these are. 

Comment


Terms & Conditions