In this Veeam Backup: A Shield Against Cuba Ransomware, we will discuss Cuba Ransomware in Veeam Backup & Replication. This vulnerability was discovered and fixed back in March, but incredibly today, in August, we still read the news that Cuba Ransomware attacked companies(and governments) using this vulnerability. This means that companies are not following the proper security steps to prevent attacks or fix vulnerabilities in their infrastructure by just simple updates and applying security patches.

What is this vulnerability?

CVE-2023-27532 is a vulnerability in the Veeam Backup & Replication component that allows an unauthenticated user to retrieve host credentials stored in the configuration database. This weakness could ultimately enable an attacker to gain access to hosts and devices managed by the Veeam Backup server. The vulnerability exists in the Veeam Backup & Replication REST API, accessible on port 9401. An attacker could exploit this vulnerability by sending a malicious request to the API, which would then return the encrypted credentials for the specified host.

Veeam has released a patch for this vulnerability, which can be downloaded from the Veeam website. The patch requires Veeam Backup & Replication v12 build 12.0.0.1420 or later. Suppose you are using an older version of Veeam Backup & Replication. In that case, you can mitigate the risk of this vulnerability by blocking external connections to port 9401 in the backup server firewall.

Attackers will try to understand the patches’ design to exploit them on unpatched software when a vulnerability is discovered. It will also be essential to consider that it impacts the connections between the mount and Backup & Replication servers. Meaning ESXi and Hyper-V hosts connected to Veeam Backup & Replication servers are also vulnerable.

Who is the Cuba Ransomware group?

The Cuba ransomware group targets US, Europe, and Latin American businesses. This group emerged towards the end of 2019. Has been involved in notable cyber attacks, including the Automatic Funds Transfer Services (AFTS) payment processor breach in February 2023.

The Cuba ransomware employs encryption techniques to lock files and demands a ransom for recovery. The organization employs tactics such as phishing emails exploiting software vulnerabilities and unauthorized remote desktop connections to gain access to their victims networks.

There are indications that the Cuba ransomware group may have ties to Russia. The leaders of this group have been observed communicating in language. Discussing their activities within Russian speaking forums. Additionally, there are links between this group and other ransomware organizations like RomCom and Industrial Spy. According to a joint FBI-CISA alert, the Cuba ransomware group is believed to have no known connection to Cuba, has hacked over 100 businesses worldwide, and has sought over $145 million in ransom by late 2022.

All organizations must be cautious as they can become targets of the Cuba gang. Their actions have resulted in losses well as damage to the reputations of their victims.

How does this Ransomware Attack Work?

Shanigen initially reported this vulnerability, and veeam published a KB in March 2023.

I’ll include some articles and videos from Huntress because numerous commands and techniques demonstrate how this ransomware exploits the vulnerability. And has a threat hunter and Security Researcher can explain much better than me.

Huntress has written an article and added some videos showing how the Ransomware attack works and the vulnerability.

The following video displays Caleb’s attempts to use CVE-2023-27532 to reveal and decode passwords.

Check HERE for the video source from Huntress.

The following video demonstrates that the Veeam Backup & Replication server is being exploited to execute commands.

Check HERE for the video source from Huntress.

Note: Thank you to Huntress and John Hammond for the articles.

There is a recent article from Blackberry with some updates regarding these attacks.

What to do to protect your infrastructure against Cuba Ransomware?

We can start with the essentials:

• Keeping their software up to date.
• Implementing strong security controls, such as firewalls and intrusion detection systems.
• Educating employees about phishing emails and other social engineering techniques.
• Having a backup plan in place in case of a ransomware attack.

Organizations continue not to follow these simple security rules, and because of that, many systems are still out there that are unpatched, unmaintained, or outdated.

How to update your Veeam Backup & Replication

Since Veeam launched a new cumulative patch P20230718, a couple of weeks ago, you should update and protect your infrastructure.

Start by downloading the ISO that fits your environment.

• Download the cumulative Patch of the latest Veeam patch  If at least version 12 GA (build 12.0.0.1420) is already installed.
• Download ISO for new installations and upgrades from previous versions(already has Cumulative Patch built-in)

Note Regarding RTM Build: The cumulative patch update executable listed in this article requires, at a minimum, the GA release of Veeam Backup & Replication 12. Any Veeam Backup Server / Veeam Cloud Connect server still running Veeam Backup & Replication 12 RTM must first be updated to GA using the patch on KB4415 before the cumulative patch can be applied.

How to apply the update on your Veeam Backup & Server

I have Veeam Backup & Replication v12.0.0.1420 in this test lab, so I will use the cumulative patch.

After downloading the Veeam patch, apply it on your Veeam Server.

Extract the zip file that you downloaded and run the setup.exe.

Note: Before you start, be aware that Veeam Server services will be stopped during the installation of the patch and also needs a reboot after the patch.

Click Next and continue with the patch install.

Enable the option if you want to update your Proxies and agent automatically(recommended).

Next, the patch is starting to stop Veeam Backup services and install the patch.

Next, click finish and reboot the server to apply changes and secure the Veeam Backup & Replication server.

As we can see above, installing a Veeam Patch on your Veeam Backup & Replication is easy and quick. So there is no reason you do not apply the security patches to your infrastructure and protect against vulnerabilities that Cuba Ransomware Group explores.

What makes it so important to update your infrastructure? You fix those vulnerabilities by updating your infrastructure and creating a solid defense. An outdated system is like leaving a door open for cybercriminals. They constantly search for weaknesses, and old systems are full of them.

I hope that this blog post, Veeam Backup: A Shield Against Cuba Ransomware, has given you more details about why you should update your infrastructure. Ransomware is a serious threat to organizations of all sizes, and taking steps to protect yourself is essential.

One of the best ways to protect yourself from ransomware is to keep your infrastructure up to date. This means keeping your operating systems, applications, and firmware up to date with the latest security patches. Security patches can fix vulnerabilities that ransomware attackers can exploit.

Share this article if you think it is worth sharing. If you have any questions or comments, comment here, or contact me on Twitter.

©2023 ProVirtualzone. All Rights Reserved