Cuba

Country / Region updated 4 months ago (2024-09-24T08:16:41.420Z)
Download STIX
Preview STIX
The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted women leaders within the European Union’s military and political circles. In addition, the number of US entities compromised by the Cuba ransomware has doubled since December 2021, according to federal agencies, with ransoms demanded and paid continually increasing. Notably, the Cuba ransomware gang claimed to have obtained sensitive financial and personal data from Montenegro’s parliament and California's Department of Motor Vehicles. The group is now launching attack campaigns designed to distribute an updated version of the RomCom RAT, named PEAPOD malware. This operation involves Cuba’s signature custom downloader, "BugHatch," which establishes communication with command-and-control (C2) servers to download DLL files or execute commands. Targets include critical infrastructure in the US, such as financial services, government facilities, healthcare and public health, critical manufacturing, and information technology sectors. Meanwhile, communication security in Cuba remains a significant concern. Described as "especially insecure," the SMS system in Cuba reportedly has an automatic system of "sensitive words." Independent journalists and activists have had to rely on private messaging apps like WhatsApp, Telegram, and VPN for secure communication, often playing a cat-and-mouse game with the government to prevent their devices from being seized. However, the Cuban government has found ways to disrupt or block these messages, leading to sudden internet access cuts for critics like journalist Henry Constantin, who works for La Hora de Cuba, a media site not aligned with the communist government.
Description last updated: 2024-05-04T16:32:00.950Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Tropical Scorpius is a possible alias for Cuba. Tropical Scorpius, also known as RomCom, Storm-0978, and UNC2596, is a threat actor group that has been active since at least late 2020. This Russian-based cybercrime group is associated with Cuba ransomware and the RomCom backdoor, and it has exploited various techniques such as Magic bytes, Proces
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Malware
Ransomware
Vulnerability
Encryption
Downloader
Rat
Ransom
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cuba Ransomware Malware is associated with Cuba. The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insiUnspecified
4
The RomCom Malware is associated with Cuba. RomCom, a malicious software, has been identified as a significant cyber threat. Reports from third-party and open-source intelligence since spring 2022 have indicated a connection between RomCom Remote Access Trojan (RAT) actors, Cuba ransomware actors, and Industrial Spy ransomware actors. The malUnspecified
2
The Cobalt Strike Beacon Malware is associated with Cuba. Cobalt Strike Beacon is a type of malware, a harmful software designed to exploit and damage computer systems. It is often loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted file vm.cfg. The Insikt Group has identified six distinct Cobalt Strike BeaconUnspecified
2
The Romcom Remote Access Trojan Malware is associated with Cuba. The RomCom Remote Access Trojan (RAT) is a harmful malware that has been evolving and causing significant threats to cybersecurity. Based on the RomCom 3.0 version, it incorporates techniques seen in RomCom 4.0, resulting in the creation of RomCom 5.0. This malware can infiltrate systems via suspiciUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2020-1472 Vulnerability is associated with Cuba. CVE-2020-1472, also known as the "ZeroLogon" vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. This vulnerability, which was patched on August 11, 2020, allows attackers to escalate privileges and gain administrative access to a Windows domain controller without anyUnspecified
2
The CVE-2023-27532 Vulnerability is associated with Cuba. CVE-2023-27532 is a high-severity vulnerability found in the Veeam Backup & Replication software. This flaw, discovered and disclosed in March 2023, allows unauthenticated attackers to breach backup infrastructure hosts, posing significant risk to small and midsize businesses (SMBs) that commonly usUnspecified
2
The Zerologon Vulnerability is associated with Cuba. Zerologon (CVE-2020-1472) is a critical vulnerability within Microsoft's Netlogon Remote Protocol that emerged in 2020. It involves a privilege escalation condition that allows an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, bypassing authentication mUnspecified
2
Source Document References
Information about the Cuba Country / Region was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago