Veeam exploit used against critical US orgs

Good reminder..thanks for sharing Marco!

Oh I was writting a post about it too.

If you want more technical analysis : https://blogs.blackberry.com/en/2023/08/cuba-ransomware-deploys-new-tools-targets-critical-infrastructure-sector-in-the-usa-and-it-integrator-in-latin-america

Thanks for sharing this.  Always secure your Veeam environment and then this won't happen. Nice to see it is not directly Veeam itself.

Having read the link @marcofabbri shared that BlackBerry reports that Cuba's initial access vector appears to be compromised admin credentials via RDP, not involving brute forcing.

• This should be the talking point. With an Administrators credentials, you are aware of the harm an attacker can perpetuate via lateral movement etc.

Also, in a secure environment, you should not be able some tools capable of exploiting you. There are policies for this. 

• Also, if you are connecting to a remote server and you are scared of MiTM attach, read this guide and fix rdp connection issues.

If your remote server is compromised and you do not want to connect to it, you could use any of the methods discussed in this link or below.

> Cuba utilizes the now-widespread BYOVD (Bring Your Own Vulnerable Driver) technique to turn off endpoint protection tools. Also, it uses the 'BurntCigar' tool to terminate kernel processes associated with security products.

Even Microsoft Defender AV can be further protected with the “Tamper Protection” from this kind of scenario. Yes, it has some drawback due to the lack of a central management platform. Except you decide to use tools such as ACMP or Defender for Endpoint etc. Other AV solutions have even better protection and reporting capabilities if the right features are enabled to protect your organisation endpoints.

> Apart from the Veeam flaw that's relatively recent, Cuba also exploits CVE-2020-1472 ("Zerologon"), a vulnerability in Microsoft's NetLogon protocol, which gives them privilege escalation against AD domain controllers.

As you can see, there are other exploits and this is very normal. When there are workaround or patches against any flaws, you have to apply them immediately and this validates this statement from them “The inclusion of CVE-2023-27532 in Cuba's targeting scope makes the prompt installation of Veeam security updates extremely important and once again highlights the risk of delaying updates when publicly available PoC (proof-of-concept) exploits are available”.